Vulnerabilites related to quarkus - quarkus
cve-2021-20289
Vulnerability from cvelistv5
Published
2021-03-26 16:28
Modified
2024-08-03 17:37
Severity ?
EPSS score ?
Summary
A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1935927 | x_refsource_MISC | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T17:37:23.769Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935927", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "resteasy", vendor: "n/a", versions: [ { status: "affected", version: "resteasy 3.11.5.Final, resteasy 3.15.2.Final, resteasy 4.5.10.Final, resteasy 4.6.1.Final, resteasy 4.6.2.Final", }, ], }, ], descriptions: [ { lang: "en", value: "A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-209", description: "CWE-209", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-04-19T23:23:45", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935927", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2021-20289", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "resteasy", version: { version_data: [ { version_value: "resteasy 3.11.5.Final, resteasy 3.15.2.Final, resteasy 4.5.10.Final, resteasy 4.6.1.Final, resteasy 4.6.2.Final", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-209", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1935927", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935927", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2021-20289", datePublished: "2021-03-26T16:28:44", dateReserved: "2020-12-17T00:00:00", dateUpdated: "2024-08-03T17:37:23.769Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-42004
Vulnerability from cvelistv5
Published
2022-10-02 00:00
Modified
2024-08-03 12:56
Severity ?
EPSS score ?
Summary
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:56:39.182Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/FasterXML/jackson-databind/issues/3582", }, { tags: [ "x_transferred", ], url: "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88", }, { tags: [ "x_transferred", ], url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490", }, { name: "GLSA-202210-21", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202210-21", }, { name: "DSA-5283", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5283", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20221118-0008/", }, { name: "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-11-27T00:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://github.com/FasterXML/jackson-databind/issues/3582", }, { url: "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88", }, { url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490", }, { name: "GLSA-202210-21", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202210-21", }, { name: "DSA-5283", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2022/dsa-5283", }, { url: "https://security.netapp.com/advisory/ntap-20221118-0008/", }, { name: "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update", tags: [ "mailing-list", ], url: "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2022-42004", datePublished: "2022-10-02T00:00:00", dateReserved: "2022-10-02T00:00:00", dateUpdated: "2024-08-03T12:56:39.182Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-5720
Vulnerability from cvelistv5
Published
2023-11-15 13:57
Modified
2024-08-02 08:07
Severity ?
EPSS score ?
Summary
A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-5720 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2245700 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | gradle-plugin |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T08:07:32.620Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-5720", }, { name: "RHBZ#2245700", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2245700", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "affected", product: "gradle-plugin", vendor: "n/a", }, ], credits: [ { lang: "en", value: "Red Hat would like to thank The Gradle Engineering Team for reporting this issue.", }, ], datePublic: "2023-11-08T00:00:00+00:00", descriptions: [ { lang: "en", value: "A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Important", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-526", description: "Cleartext Storage of Sensitive Information in an Environment Variable", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-23T01:30:30.953Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-5720", }, { name: "RHBZ#2245700", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2245700", }, ], timeline: [ { lang: "en", time: "2023-10-23T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2023-11-08T00:00:00+00:00", value: "Made public.", }, ], title: "Quarkus: build env information disclosure via gradle plugin", x_redhatCweChain: "CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-5720", datePublished: "2023-11-15T13:57:52.295Z", dateReserved: "2023-10-23T16:39:58.066Z", dateUpdated: "2024-08-02T08:07:32.620Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-3642
Vulnerability from cvelistv5
Published
2021-08-05 20:48
Modified
2024-08-03 17:01
Severity ?
EPSS score ?
Summary
A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1981407 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | wildfly-elytron |
Version: Wildfly Elytron 1.10.14.Final, Wildfly Elytron 1.15.5.Final, Wildfly Elytron 1.16.1.Final |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T17:01:07.598Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1981407", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "wildfly-elytron", vendor: "n/a", versions: [ { status: "affected", version: "Wildfly Elytron 1.10.14.Final, Wildfly Elytron 1.15.5.Final, Wildfly Elytron 1.16.1.Final", }, ], }, ], descriptions: [ { lang: "en", value: "A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-203", description: "CWE-203", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-08-30T17:37:38", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1981407", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2021-3642", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "wildfly-elytron", version: { version_data: [ { version_value: "Wildfly Elytron 1.10.14.Final, Wildfly Elytron 1.15.5.Final, Wildfly Elytron 1.16.1.Final", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-203", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1981407", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1981407", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2021-3642", datePublished: "2021-08-05T20:48:01", dateReserved: "2021-07-12T00:00:00", dateUpdated: "2024-08-03T17:01:07.598Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-8908
Vulnerability from cvelistv5
Published
2020-12-10 22:10
Modified
2024-08-04 10:12
Severity ?
EPSS score ?
Summary
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Google LLC | Guava |
Version: 1.0 < 32.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T10:12:10.998Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/google/guava/issues/4011", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415", }, { name: "[ws-commits] 20210104 [ws-wss4j] branch master updated: Updating Guava to 30.1 due to CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222%40%3Ccommits.ws.apache.org%3E", }, { name: "[ws-commits] 20210104 [ws-wss4j] branch 2_3_x-fixes updated: Updating Guava to 30.1 due to CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e%40%3Ccommits.ws.apache.org%3E", }, { name: "[cxf-commits] 20210104 [cxf] 03/04: Updating Guava to 30.1 due to CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf%40%3Ccommits.cxf.apache.org%3E", }, { name: "[cxf-commits] 20210104 [cxf] 02/02: Updating Guava to 30.1 due to CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6%40%3Ccommits.cxf.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3%40%3Ctorque-dev.db.apache.org%3E", }, { name: "[maven-issues] 20210122 [GitHub] [maven-indexer] akurtakov opened a new pull request #75: Remove guava dependency from indexer-core", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E", }, { name: "[db-torque-dev] 20210127 Re: Items for our (delayed) quarterly report to the board?", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a%40%3Ctorque-dev.db.apache.org%3E", }, { name: "[db-torque-dev] 20210128 Antwort: Re: Items for our (delayed) quarterly report to the board?", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604%40%3Ctorque-dev.db.apache.org%3E", }, { name: "[pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10149: Upgrade jclouds to 2.3.0 to fix security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[myfaces-dev] 20210506 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #817: build: CVE fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E", }, { name: "[arrow-github] 20210610 [GitHub] [arrow] projjal opened a new pull request #10501: ARROW-13032: Update guava version", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { name: "[drill-dev] 20210618 [GitHub] [drill] ssainz edited a comment on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20210618 [GitHub] [drill] ssainz commented on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20210618 [GitHub] [drill] cgivre commented on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20210619 [GitHub] [drill] luocooong commented on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54%40%3Cdev.drill.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "[hadoop-yarn-issues] 20211018 [jira] [Updated] (YARN-10980) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3%40%3Cyarn-issues.hadoop.apache.org%3E", }, { name: "[hadoop-yarn-dev] 20211018 [jira] [Created] (YARN-10980) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e%40%3Cyarn-dev.hadoop.apache.org%3E", }, { name: "[hadoop-common-issues] 20211018 [GitHub] [hadoop] lujiefsi opened a new pull request #3561: Yarn 10980", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[hadoop-yarn-issues] 20211018 [jira] [Created] (YARN-10980) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27%40%3Cyarn-issues.hadoop.apache.org%3E", }, { name: "[hadoop-yarn-dev] 20211018 [jira] [Resolved] (YARN-10980) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27%40%3Cyarn-dev.hadoop.apache.org%3E", }, { name: "[hive-dev] 20211018 [jira] [Created] (HIVE-25617) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f%40%3Cdev.hive.apache.org%3E", }, { name: "[hadoop-common-issues] 20211018 [GitHub] [hadoop] lujiefsi edited a comment on pull request #3561: YARN-10980:fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[geode-issues] 20211018 [jira] [Updated] (GEODE-9744) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85%40%3Cissues.geode.apache.org%3E", }, { name: "[hive-issues] 20211018 [jira] [Updated] (HIVE-25617) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20211018 [jira] [Work logged] (HIVE-25617) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5%40%3Cissues.hive.apache.org%3E", }, { name: "[hadoop-yarn-issues] 20211018 [jira] [Comment Edited] (YARN-10980) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199%40%3Cyarn-issues.hadoop.apache.org%3E", }, { name: "[hadoop-yarn-issues] 20211018 [jira] [Resolved] (YARN-10980) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09%40%3Cyarn-issues.hadoop.apache.org%3E", }, { name: "[hive-gitbox] 20211018 [GitHub] [hive] lujiefsi opened a new pull request #2725: HIVE-25617:fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322%40%3Cgitbox.hive.apache.org%3E", }, { name: "[hadoop-yarn-issues] 20211018 [jira] [Commented] (YARN-10980) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6%40%3Cyarn-issues.hadoop.apache.org%3E", }, { name: "[geode-issues] 20211018 [jira] [Created] (GEODE-9744) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625%40%3Cissues.geode.apache.org%3E", }, { name: "[geode-issues] 20211018 [jira] [Updated] (GEODE-9744) bug like CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44%40%3Cissues.geode.apache.org%3E", }, { name: "[geode-issues] 20211018 [jira] [Updated] (GEODE-9744) bug CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc%40%3Cissues.geode.apache.org%3E", }, { name: "[geode-issues] 20211018 [jira] [Updated] (GEODE-9744) like CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97%40%3Cissues.geode.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "[pig-dev] 20211021 [GitHub] [pig] lujiefsi opened a new pull request #36: PIG-5417:Replace guava's Files.createTempDir()", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf%40%3Cdev.pig.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220210-0003/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Guava", vendor: "Google LLC", versions: [ { lessThan: "32.0", status: "affected", version: "1.0", versionType: "custom", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Jonathan Leitschuh", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.</p>", }, ], value: "A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 3.3, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-378", description: "CWE-378: Creation of Temporary File With Insecure Permissions", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-06-06T09:48:41.702Z", orgId: "14ed7db2-1595-443d-9d34-6215bf890778", shortName: "Google", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/google/guava/issues/4011", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40", }, { tags: [ "x_refsource_MISC", ], url: "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415", }, { name: "[ws-commits] 20210104 [ws-wss4j] branch master updated: Updating Guava to 30.1 due to CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222%40%3Ccommits.ws.apache.org%3E", }, { name: "[ws-commits] 20210104 [ws-wss4j] branch 2_3_x-fixes updated: Updating Guava to 30.1 due to CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e%40%3Ccommits.ws.apache.org%3E", }, { name: "[cxf-commits] 20210104 [cxf] 03/04: Updating Guava to 30.1 due to CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf%40%3Ccommits.cxf.apache.org%3E", }, { name: "[cxf-commits] 20210104 [cxf] 02/02: Updating Guava to 30.1 due to CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6%40%3Ccommits.cxf.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3%40%3Ctorque-dev.db.apache.org%3E", }, { name: "[maven-issues] 20210122 [GitHub] [maven-indexer] akurtakov opened a new pull request #75: Remove guava dependency from indexer-core", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E", }, { name: "[db-torque-dev] 20210127 Re: Items for our (delayed) quarterly report to the board?", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a%40%3Ctorque-dev.db.apache.org%3E", }, { name: "[db-torque-dev] 20210128 Antwort: Re: Items for our (delayed) quarterly report to the board?", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604%40%3Ctorque-dev.db.apache.org%3E", }, { name: "[pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10149: Upgrade jclouds to 2.3.0 to fix security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[myfaces-dev] 20210506 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #817: build: CVE fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E", }, { name: "[arrow-github] 20210610 [GitHub] [arrow] projjal opened a new pull request #10501: ARROW-13032: Update guava version", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { name: "[drill-dev] 20210618 [GitHub] [drill] ssainz edited a comment on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20210618 [GitHub] [drill] ssainz commented on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20210618 [GitHub] [drill] cgivre commented on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20210619 [GitHub] [drill] luocooong commented on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54%40%3Cdev.drill.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "[hadoop-yarn-issues] 20211018 [jira] [Updated] (YARN-10980) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3%40%3Cyarn-issues.hadoop.apache.org%3E", }, { name: "[hadoop-yarn-dev] 20211018 [jira] [Created] (YARN-10980) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e%40%3Cyarn-dev.hadoop.apache.org%3E", }, { name: "[hadoop-common-issues] 20211018 [GitHub] [hadoop] lujiefsi opened a new pull request #3561: Yarn 10980", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[hadoop-yarn-issues] 20211018 [jira] [Created] (YARN-10980) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27%40%3Cyarn-issues.hadoop.apache.org%3E", }, { name: "[hadoop-yarn-dev] 20211018 [jira] [Resolved] (YARN-10980) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27%40%3Cyarn-dev.hadoop.apache.org%3E", }, { name: "[hive-dev] 20211018 [jira] [Created] (HIVE-25617) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f%40%3Cdev.hive.apache.org%3E", }, { name: "[hadoop-common-issues] 20211018 [GitHub] [hadoop] lujiefsi edited a comment on pull request #3561: YARN-10980:fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[geode-issues] 20211018 [jira] [Updated] (GEODE-9744) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85%40%3Cissues.geode.apache.org%3E", }, { name: "[hive-issues] 20211018 [jira] [Updated] (HIVE-25617) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20211018 [jira] [Work logged] (HIVE-25617) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5%40%3Cissues.hive.apache.org%3E", }, { name: "[hadoop-yarn-issues] 20211018 [jira] [Comment Edited] (YARN-10980) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199%40%3Cyarn-issues.hadoop.apache.org%3E", }, { name: "[hadoop-yarn-issues] 20211018 [jira] [Resolved] (YARN-10980) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09%40%3Cyarn-issues.hadoop.apache.org%3E", }, { name: "[hive-gitbox] 20211018 [GitHub] [hive] lujiefsi opened a new pull request #2725: HIVE-25617:fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322%40%3Cgitbox.hive.apache.org%3E", }, { name: "[hadoop-yarn-issues] 20211018 [jira] [Commented] (YARN-10980) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6%40%3Cyarn-issues.hadoop.apache.org%3E", }, { name: "[geode-issues] 20211018 [jira] [Created] (GEODE-9744) fix CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625%40%3Cissues.geode.apache.org%3E", }, { name: "[geode-issues] 20211018 [jira] [Updated] (GEODE-9744) bug like CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44%40%3Cissues.geode.apache.org%3E", }, { name: "[geode-issues] 20211018 [jira] [Updated] (GEODE-9744) bug CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc%40%3Cissues.geode.apache.org%3E", }, { name: "[geode-issues] 20211018 [jira] [Updated] (GEODE-9744) like CVE-2020-8908", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97%40%3Cissues.geode.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "[pig-dev] 20211021 [GitHub] [pig] lujiefsi opened a new pull request #36: PIG-5417:Replace guava's Files.createTempDir()", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf%40%3Cdev.pig.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20220210-0003/", }, ], source: { discovery: "EXTERNAL", }, title: "Temp directory permission issue in Guava", x_generator: { engine: "Vulnogram 0.1.0-dev", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@google.com", ID: "CVE-2020-8908", STATE: "PUBLIC", TITLE: "Temp directory permission issue in Guava", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Guava", version: { version_data: [ { version_affected: ">", version_name: "stable", version_value: "9.09.15", }, ], }, }, ], }, vendor_name: "Google LLC", }, ], }, }, credit: [ { lang: "eng", value: "Jonathan Leitschuh", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 3.3, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-378: Creation of Temporary File With Insecure Permissions", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/google/guava/issues/4011", refsource: "CONFIRM", url: "https://github.com/google/guava/issues/4011", }, { name: "https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40", refsource: "CONFIRM", url: "https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40", }, { name: "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415", refsource: "MISC", url: "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415", }, { name: "[ws-commits] 20210104 [ws-wss4j] branch master updated: Updating Guava to 30.1 due to CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222@%3Ccommits.ws.apache.org%3E", }, { name: "[ws-commits] 20210104 [ws-wss4j] branch 2_3_x-fixes updated: Updating Guava to 30.1 due to CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e@%3Ccommits.ws.apache.org%3E", }, { name: "[cxf-commits] 20210104 [cxf] 03/04: Updating Guava to 30.1 due to CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf@%3Ccommits.cxf.apache.org%3E", }, { name: "[cxf-commits] 20210104 [cxf] 02/02: Updating Guava to 30.1 due to CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6@%3Ccommits.cxf.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3@%3Ctorque-dev.db.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3@%3Ctorque-dev.db.apache.org%3E", }, { name: "[maven-issues] 20210122 [GitHub] [maven-indexer] akurtakov opened a new pull request #75: Remove guava dependency from indexer-core", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3E", }, { name: "[db-torque-dev] 20210127 Re: Items for our (delayed) quarterly report to the board?", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a@%3Ctorque-dev.db.apache.org%3E", }, { name: "[db-torque-dev] 20210128 Antwort: Re: Items for our (delayed) quarterly report to the board?", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604@%3Ctorque-dev.db.apache.org%3E", }, { name: "[pulsar-commits] 20210406 [GitHub] [pulsar] lhotari opened a new pull request #10149: Upgrade jclouds to 2.3.0 to fix security vulnerabilities", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748@%3Ccommits.pulsar.apache.org%3E", }, { name: "[myfaces-dev] 20210506 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #817: build: CVE fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594@%3Cdev.myfaces.apache.org%3E", }, { name: "[arrow-github] 20210610 [GitHub] [arrow] projjal opened a new pull request #10501: ARROW-13032: Update guava version", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95@%3Cgithub.arrow.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuApr2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { name: "[drill-dev] 20210618 [GitHub] [drill] ssainz edited a comment on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4@%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20210618 [GitHub] [drill] ssainz commented on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14@%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20210618 [GitHub] [drill] cgivre commented on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a@%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20210619 [GitHub] [drill] luocooong commented on issue #2260: CVE-2020-8908 in Guava v.28.2-jre, should upgrade to v.30.1.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54@%3Cdev.drill.apache.org%3E", }, { name: "https://www.oracle.com//security-alerts/cpujul2021.html", refsource: "MISC", url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "[hadoop-yarn-issues] 20211018 [jira] [Updated] (YARN-10980) fix CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3@%3Cyarn-issues.hadoop.apache.org%3E", }, { name: "[hadoop-yarn-dev] 20211018 [jira] [Created] (YARN-10980) fix CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e@%3Cyarn-dev.hadoop.apache.org%3E", }, { name: "[hadoop-common-issues] 20211018 [GitHub] [hadoop] lujiefsi opened a new pull request #3561: Yarn 10980", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac@%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[hadoop-yarn-issues] 20211018 [jira] [Created] (YARN-10980) fix CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27@%3Cyarn-issues.hadoop.apache.org%3E", }, { name: "[hadoop-yarn-dev] 20211018 [jira] [Resolved] (YARN-10980) fix CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27@%3Cyarn-dev.hadoop.apache.org%3E", }, { name: "[hive-dev] 20211018 [jira] [Created] (HIVE-25617) fix CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f@%3Cdev.hive.apache.org%3E", }, { name: "[hadoop-common-issues] 20211018 [GitHub] [hadoop] lujiefsi edited a comment on pull request #3561: YARN-10980:fix CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21@%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[geode-issues] 20211018 [jira] [Updated] (GEODE-9744) fix CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85@%3Cissues.geode.apache.org%3E", }, { name: "[hive-issues] 20211018 [jira] [Updated] (HIVE-25617) fix CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c@%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20211018 [jira] [Work logged] (HIVE-25617) fix CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5@%3Cissues.hive.apache.org%3E", }, { name: "[hadoop-yarn-issues] 20211018 [jira] [Comment Edited] (YARN-10980) fix CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199@%3Cyarn-issues.hadoop.apache.org%3E", }, { name: "[hadoop-yarn-issues] 20211018 [jira] [Resolved] (YARN-10980) fix CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09@%3Cyarn-issues.hadoop.apache.org%3E", }, { name: "[hive-gitbox] 20211018 [GitHub] [hive] lujiefsi opened a new pull request #2725: HIVE-25617:fix CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322@%3Cgitbox.hive.apache.org%3E", }, { name: "[hadoop-yarn-issues] 20211018 [jira] [Commented] (YARN-10980) fix CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6@%3Cyarn-issues.hadoop.apache.org%3E", }, { name: "[geode-issues] 20211018 [jira] [Created] (GEODE-9744) fix CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625@%3Cissues.geode.apache.org%3E", }, { name: "[geode-issues] 20211018 [jira] [Updated] (GEODE-9744) bug like CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44@%3Cissues.geode.apache.org%3E", }, { name: "[geode-issues] 20211018 [jira] [Updated] (GEODE-9744) bug CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc@%3Cissues.geode.apache.org%3E", }, { name: "[geode-issues] 20211018 [jira] [Updated] (GEODE-9744) like CVE-2020-8908", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97@%3Cissues.geode.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "[pig-dev] 20211021 [GitHub] [pig] lujiefsi opened a new pull request #36: PIG-5417:Replace guava's Files.createTempDir()", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf@%3Cdev.pig.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { name: "https://security.netapp.com/advisory/ntap-20220210-0003/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20220210-0003/", }, ], }, source: { discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "14ed7db2-1595-443d-9d34-6215bf890778", assignerShortName: "Google", cveId: "CVE-2020-8908", datePublished: "2020-12-10T22:10:58", dateReserved: "2020-02-12T00:00:00", dateUpdated: "2024-08-04T10:12:10.998Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-0481
Vulnerability from cvelistv5
Published
2023-02-24 00:00
Modified
2025-03-12 15:29
Severity ?
EPSS score ?
Summary
In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T05:10:56.412Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/quarkusio/quarkus/pull/30694", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 3.3, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2023-0481", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-12T15:28:42.818579Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-12T15:29:16.755Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "Quarkus", vendor: "n/a", versions: [ { status: "affected", version: "Fixed in 2.16.1", }, ], }, ], descriptions: [ { lang: "en", value: "In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-378", description: "CWE-378", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-02-24T00:00:00.000Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { url: "https://github.com/quarkusio/quarkus/pull/30694", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-0481", datePublished: "2023-02-24T00:00:00.000Z", dateReserved: "2023-01-24T00:00:00.000Z", dateUpdated: "2025-03-12T15:29:16.755Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-1584
Vulnerability from cvelistv5
Published
2023-10-04 10:47
Modified
2024-08-02 05:57
Severity ?
EPSS score ?
Summary
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2023:3809 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2023:7653 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2023-1584 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2180886 | issue-tracking, x_refsource_REDHAT | |
| https://github.com/quarkusio/quarkus/pull/32192 | ||
| https://github.com/quarkusio/quarkus/pull/33414 |
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | ||||||||||||||
|
||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T05:57:23.278Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2023:3809", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:3809", }, { name: "RHSA-2023:7653", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:7653", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-1584", }, { name: "RHBZ#2180886", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180886", }, { tags: [ "x_transferred", ], url: "https://github.com/quarkusio/quarkus/pull/32192", }, { tags: [ "x_transferred", ], url: "https://github.com/quarkusio/quarkus/pull/33414", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://mvnrepository.com/artifact/io.quarkus", packageName: "quarkus-oidc", versions: [ { status: "unaffected", version: "3.1.0.CR1", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:2.13", ], defaultStatus: "affected", packageName: "io.quarkus/quarkus-oidc", product: "Red Hat build of Quarkus 2.13.8.Final", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "2.13.8.Final-redhat-00004", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:service_registry:2.5", ], defaultStatus: "unaffected", packageName: "quarkus-oidc", product: "RHINT Service Registry 2.5.4 GA", vendor: "Red Hat", }, ], credits: [ { lang: "en", value: "This issue was discovered by Paulo Lopes (Red Hat).", }, ], datePublic: "2023-03-22T00:00:00+00:00", descriptions: [ { lang: "en", value: "A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Low", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "Exposure of Sensitive Information to an Unauthorized Actor", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-03T15:32:34.371Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2023:3809", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:3809", }, { name: "RHSA-2023:7653", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:7653", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-1584", }, { name: "RHBZ#2180886", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180886", }, { url: "https://github.com/quarkusio/quarkus/pull/32192", }, { url: "https://github.com/quarkusio/quarkus/pull/33414", }, ], timeline: [ { lang: "en", time: "2023-03-22T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2023-03-22T00:00:00+00:00", value: "Made public.", }, ], title: "Quarkus-oidc: id and access tokens leak via the authorization code flow", x_redhatCweChain: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-1584", datePublished: "2023-10-04T10:47:37.831Z", dateReserved: "2023-03-22T20:15:15.323Z", dateUpdated: "2024-08-02T05:57:23.278Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-0044
Vulnerability from cvelistv5
Published
2023-02-23 00:00
Modified
2025-03-12 14:32
Severity ?
EPSS score ?
Summary
If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | quarkus-vertx-http |
Version: 1.11.7 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:54:32.575Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-0044", }, { tags: [ "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-0044", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-12T14:32:02.975305Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-12T14:32:14.395Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "quarkus-vertx-http", vendor: "n/a", versions: [ { status: "affected", version: "1.11.7", }, ], }, ], descriptions: [ { lang: "en", value: "If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.", }, ], problemTypes: [ { descriptions: [ { description: "cross-site attack", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-02-23T00:00:00.000Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { url: "https://access.redhat.com/security/cve/CVE-2023-0044", }, { url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-0044", datePublished: "2023-02-23T00:00:00.000Z", dateReserved: "2023-01-04T00:00:00.000Z", dateUpdated: "2025-03-12T14:32:14.395Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-28491
Vulnerability from cvelistv5
Published
2021-02-18 15:50
Modified
2024-09-16 20:16
Severity ?
EPSS score ?
Summary
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.
References
| ▼ | URL | Tags |
|---|---|---|
| https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329 | x_refsource_MISC | |
| https://github.com/FasterXML/jackson-dataformats-binary/issues/186 | x_refsource_MISC | |
| https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6 | x_refsource_MISC | |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | com.fasterxml.jackson.dataformat:jackson-dataformat-cbor |
Version: 0 < unspecified Version: unspecified < 2.11.4 Version: 2.12.0-rc1 < unspecified Version: unspecified < 2.12.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T16:40:58.646Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/FasterXML/jackson-dataformats-binary/issues/186", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor", vendor: "n/a", versions: [ { lessThan: "unspecified", status: "affected", version: "0", versionType: "custom", }, { lessThan: "2.11.4", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "2.12.0-rc1", versionType: "custom", }, { lessThan: "2.12.1", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "cowtowncoder", }, ], datePublic: "2021-02-18T00:00:00", descriptions: [ { lang: "en", value: "This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { description: "Denial of Service (DoS)", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-25T16:17:12", orgId: "bae035ff-b466-4ff4-94d0-fc9efd9e1730", shortName: "snyk", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/FasterXML/jackson-dataformats-binary/issues/186", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], title: "Denial of Service (DoS)", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "report@snyk.io", DATE_PUBLIC: "2021-02-18T15:46:36.779241Z", ID: "CVE-2020-28491", STATE: "PUBLIC", TITLE: "Denial of Service (DoS)", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor", version: { version_data: [ { version_affected: ">=", version_value: "0", }, { version_affected: "<", version_value: "2.11.4", }, { version_affected: ">=", version_value: "2.12.0-rc1", }, { version_affected: "<", version_value: "2.12.1", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, credit: [ { lang: "eng", value: "cowtowncoder", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Denial of Service (DoS)", }, ], }, ], }, references: { reference_data: [ { name: "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329", refsource: "MISC", url: "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329", }, { name: "https://github.com/FasterXML/jackson-dataformats-binary/issues/186", refsource: "MISC", url: "https://github.com/FasterXML/jackson-dataformats-binary/issues/186", }, { name: "https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6", refsource: "MISC", url: "https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6", }, { name: "https://www.oracle.com/security-alerts/cpujul2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "bae035ff-b466-4ff4-94d0-fc9efd9e1730", assignerShortName: "snyk", cveId: "CVE-2020-28491", datePublished: "2021-02-18T15:50:15.260223Z", dateReserved: "2020-11-12T00:00:00", dateUpdated: "2024-09-16T20:16:27.638Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-10693
Vulnerability from cvelistv5
Published
2020-05-06 13:03
Modified
2024-08-04 11:06
Severity ?
EPSS score ?
Summary
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | x_refsource_MISC | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hibernate | hibernate-validator |
Version: 6.1.2.Final |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T11:06:11.169Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E", }, { name: "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E", }, { name: "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "hibernate-validator", vendor: "Hibernate", versions: [ { status: "affected", version: "6.1.2.Final", }, ], }, ], descriptions: [ { lang: "en", value: "A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-04-19T23:20:51", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E", }, { name: "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E", }, { name: "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2020-10693", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "hibernate-validator", version: { version_data: [ { version_value: "6.1.2.Final", }, ], }, }, ], }, vendor_name: "Hibernate", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.", }, ], }, impact: { cvss: [ [ { vectorString: "5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, ], ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-20", }, ], }, ], }, references: { reference_data: [ { name: "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a@%3Cpluto-dev.portals.apache.org%3E", }, { name: "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c@%3Cpluto-dev.portals.apache.org%3E", }, { name: "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4@%3Cpluto-scm.portals.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2020-10693", datePublished: "2020-05-06T13:03:33", dateReserved: "2020-03-20T00:00:00", dateUpdated: "2024-08-04T11:06:11.169Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-25724
Vulnerability from cvelistv5
Published
2021-05-26 20:52
Modified
2024-08-04 15:40
Severity ?
EPSS score ?
Summary
A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided. This flaw allows an attacker to gain access to privileged information. The highest threat from this vulnerability is to confidentiality and integrity. Versions before resteasy 2.0.0.Alpha3 are affected.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1899354 | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20210702-0003/ | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T15:40:36.746Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1899354", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210702-0003/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "resteasy", vendor: "n/a", versions: [ { status: "affected", version: "resteasy 2.0.0.Alpha3", }, ], }, ], descriptions: [ { lang: "en", value: "A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided. This flaw allows an attacker to gain access to privileged information. The highest threat from this vulnerability is to confidentiality and integrity. Versions before resteasy 2.0.0.Alpha3 are affected.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-567", description: "CWE-567", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-07-02T11:06:08", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1899354", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20210702-0003/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2020-25724", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "resteasy", version: { version_data: [ { version_value: "resteasy 2.0.0.Alpha3", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided. This flaw allows an attacker to gain access to privileged information. The highest threat from this vulnerability is to confidentiality and integrity. Versions before resteasy 2.0.0.Alpha3 are affected.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-567", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1899354", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1899354", }, { name: "https://security.netapp.com/advisory/ntap-20210702-0003/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20210702-0003/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2020-25724", datePublished: "2021-05-26T20:52:06", dateReserved: "2020-09-16T00:00:00", dateUpdated: "2024-08-04T15:40:36.746Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-20328
Vulnerability from cvelistv5
Published
2021-02-25 16:30
Modified
2024-09-16 19:10
Severity ?
EPSS score ?
Summary
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jira.mongodb.org/browse/JAVA-4017 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | MongoDB Inc. | mongo-java-driver |
Version: 3.11 < Version: 3.12 < |
||||||||||||||||
|
|||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T17:37:24.117Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jira.mongodb.org/browse/JAVA-4017", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:mongodb:java_driver:*:*:*:*:*:mongodb:*:*", ], defaultStatus: "unaffected", product: "java_driver", vendor: "mongodb", versions: [ { lessThanOrEqual: "3.11.2", status: "affected", version: "3.11", versionType: "custom", }, { lessThanOrEqual: "3.12.7", status: "affected", version: "3.12", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2021-20328", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-02-13T16:48:15.681647Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-15T17:36:34.465Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "mongo-java-driver", vendor: "MongoDB Inc.", versions: [ { lessThanOrEqual: "3.11.2", status: "affected", version: "3.11", versionType: "custom", }, { lessThanOrEqual: "3.12.7", status: "affected", version: "3.12", versionType: "custom", }, ], }, { defaultStatus: "unaffected", product: "mongodb-driver", vendor: "MongoDB Inc.", versions: [ { lessThanOrEqual: "3.11.2", status: "affected", version: "3.11", versionType: "custom", }, { lessThanOrEqual: "3.12.7", status: "affected", version: "3.12", versionType: "custom", }, ], }, { defaultStatus: "unaffected", product: "mongodb-driver-sync", vendor: "MongoDB Inc.", versions: [ { status: "affected", version: "4.2.0", }, { lessThanOrEqual: "3.11.2", status: "affected", version: "3.11", versionType: "custom", }, { lessThanOrEqual: "3.12.7", status: "affected", version: "3.12", versionType: "custom", }, { lessThanOrEqual: "4.0.5", status: "affected", version: "4.0", versionType: "custom", }, { lessThanOrEqual: "4.1.1", status: "affected", version: "4.1", versionType: "custom", }, ], }, { defaultStatus: "unaffected", product: "mongodb-driver-legacy", vendor: "MongoDB Inc.", versions: [ { status: "affected", version: "4.2.0", }, { lessThanOrEqual: "3.11.2", status: "affected", version: "3.11", versionType: "custom", }, { lessThanOrEqual: "3.12.7", status: "affected", version: "3.12", versionType: "custom", }, { lessThanOrEqual: "4.0.5", status: "affected", version: "4.0", versionType: "custom", }, { lessThanOrEqual: "4.1.1", status: "affected", version: "4.1", versionType: "custom", }, ], }, ], datePublic: "2021-02-25T00:00:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.</p>", }, ], value: "Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 6.4, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-295", description: "CWE-295 Improper Certificate Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-13T13:39:14.648Z", orgId: "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", shortName: "mongodb", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://jira.mongodb.org/browse/JAVA-4017", }, ], source: { discovery: "INTERNAL", }, title: "MongoDB Java driver client-side field level encryption not verifying KMS host name", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cna@mongodb.com", DATE_PUBLIC: "2021-02-25T17:00:00.000Z", ID: "CVE-2021-20328", STATE: "PUBLIC", TITLE: "MongoDB Java driver client-side field level encryption not verifying KMS host name", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "mongo-java-driver", version: { version_data: [ { version_affected: "<=", version_name: "3.11", version_value: "3.11.2", }, { version_affected: "<=", version_name: "3.12", version_value: "3.12.7", }, ], }, }, { product_name: "mongodb-driver", version: { version_data: [ { version_affected: "<=", version_name: "3.11", version_value: "3.11.2", }, { version_affected: "<=", version_name: "3.12", version_value: "3.12.7", }, ], }, }, { product_name: "mongodb-driver-sync", version: { version_data: [ { version_affected: "<=", version_name: "3.11", version_value: "3.11.2", }, { version_affected: "<=", version_name: "3.12", version_value: "3.12.7", }, { version_affected: "<=", version_name: "4.0", version_value: "4.0.5", }, { version_affected: "<=", version_name: "4.1", version_value: "4.1.1", }, { version_affected: "=", version_name: "4.2", version_value: "4.2.0", }, ], }, }, { product_name: "mongodb-driver-legacy", version: { version_data: [ { version_affected: "<=", version_name: "3.11", version_value: "3.11.2", }, { version_affected: "<=", version_name: "3.12", version_value: "3.12.7", }, { version_affected: "<=", version_name: "4.0", version_value: "4.0.5", }, { version_affected: "<=", version_name: "4.1", version_value: "4.1.1", }, { version_affected: "=", version_name: "4.2", version_value: "4.2.0", }, ], }, }, ], }, vendor_name: "MongoDB Inc.", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 6.4, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-295 Improper Certificate Validation", }, ], }, ], }, references: { reference_data: [ { name: "https://jira.mongodb.org/browse/JAVA-4017", refsource: "MISC", url: "https://jira.mongodb.org/browse/JAVA-4017", }, ], }, source: { discovery: "INTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", assignerShortName: "mongodb", cveId: "CVE-2021-20328", datePublished: "2021-02-25T16:30:14.536970Z", dateReserved: "2020-12-17T00:00:00", dateUpdated: "2024-09-16T19:10:28.653Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-26291
Vulnerability from cvelistv5
Published
2021-04-23 14:20
Modified
2024-08-03 20:19
Severity ?
EPSS score ?
Summary
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Maven |
Version: Apache Maven < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T20:19:20.126Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E", }, { name: "[maven-dev] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac6f06d16d139e5e1027c%40%3Cdev.maven.apache.org%3E", }, { name: "[maven-users] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E", }, { name: "[oss-security] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2021/04/23/5", }, { name: "[announce] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee9bac7854d64736%40%3Cannounce.apache.org%3E", }, { name: "[jena-dev] 20210428 FYI: Maven CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra88a0eba7f84658cefcecc0143fd8bbad52c229ee5dfcbfdde7b6457%40%3Cdev.jena.apache.org%3E", }, { name: "[jena-dev] 20210429 Re: FYI: Maven CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a75c8aa2493ea82732381%40%3Cdev.jena.apache.org%3E", }, { name: "[myfaces-dev] 20210506 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #817: build: CVE fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E", }, { name: "[kafka-jira] 20210520 [jira] [Created] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r86e1c81e03f441855f127980e9b3d41939d04a7caea2b7ab718e2288%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-dev] 20210520 [jira] [Created] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/red3bf6cbfd99e36b0c0a4fa1cea1eef1eb300c6bd8f372f497341265%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210520 [GitHub] [kafka] dongjinleekr opened a new pull request #10739: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r340e75c9bb6e8661b89e1cf2c52f4638a18312e57bd884722bc28f52%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210520 [jira] [Assigned] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r78fb6d2cf0ca332cfa43abd4471e75fa6c517ed9cdfcb950bff48d40%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210521 [GitHub] [kafka] omkreddy merged pull request #10739: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r39fa6ec4b7e912d3e04ea68efd23e554ec9c8efa2c96f5b45104fc61%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-dev] 20210521 [jira] [Resolved] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r30e9fcba679d164158cc26236704c351954909c18cb2485d11038aa6%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-commits] 20210521 [kafka] branch 2.6 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc7ae2530063d1cd1cf8e9fa130d10940760f927168d4063d23b8cd0a%40%3Ccommits.kafka.apache.org%3E", }, { name: "[kafka-commits] 20210521 [kafka] branch 2.8 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5ae6aaa8a2ce86145225c3516bb45d315c0454e3765d651527e5df8a%40%3Ccommits.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210521 [jira] [Resolved] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r0a5e4ff2a7ca7ad8595d7683afbaeb3b8788ba974681907f97e7dc8e%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-commits] 20210521 [kafka] branch 2.7 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r86aebd0387ae19b740b3eb28bad83fe6aceca0d6257eaa810a6e0002%40%3Ccommits.kafka.apache.org%3E", }, { name: "[kafka-users] 20210617 vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E", }, { name: "[karaf-issues] 20210718 [jira] [Created] (KARAF-7224) Impact of CVE-2021-26291 on Karaf", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r71bc13669be84c2ff45b74a67929bc2da905c152e12a39b406e3c2a0%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210718 [jira] [Created] (KARAF-7223) Upgrade maven artifacts to mitigate CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r53cd5de57aaa126038c5301d8f518f3defab3c5b1c7e17c97bad08d8%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210719 [jira] [Commented] (KARAF-7224) Impact of CVE-2021-26291 on Karaf", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r52c6cda14dc6315dc79e72d30109f4589e9c6300ef6dc1a019da32d4%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210719 [jira] [Assigned] (KARAF-7224) Impact of CVE-2021-26291 on Karaf", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r74329c671df713f61ae4620ee2452a0443ccad7f33c60e8ed7d21ff9%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210719 [jira] [Assigned] (KARAF-7223) Upgrade maven artifacts to mitigate CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r07a89b32783f73bda6903c1f9aadeb859e5bef0a4daed6d87db8e4a9%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210720 [jira] [Commented] (KARAF-7224) Impact of CVE-2021-26291 on Karaf", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r96cc126d3ee9aa42af9d3bb4baa94828b0a5f656584a50dcc594125f%40%3Cissues.karaf.apache.org%3E", }, { name: "[druid-commits] 20210809 [GitHub] [druid] abhishekagarwal87 opened a new pull request #11562: suppress CVE-2021-26291 on kafka-clients", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra9d984eccfd2ae7726671e025f0296bf03786e5cdf872138110ac29b%40%3Ccommits.druid.apache.org%3E", }, { name: "[kafka-jira] 20210809 [jira] [Commented] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r0d083314aa3934dd4b6e6970d1f6ee50f6eaa9d867deb2cd96788478%40%3Cjira.kafka.apache.org%3E", }, { name: "[druid-commits] 20210809 [GitHub] [druid] abhishekagarwal87 merged pull request #11562: suppress CVE-2021-26291 on kafka-clients", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/re75f8b3dbc5faa1640908f87e644d373e00f8b4e6ba3e2ba4bd2c80b%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20210809 [GitHub] [druid] jihoonson commented on pull request #11562: suppress CVE-2021-26291 on kafka-clients", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r08a401f8c98a99f68d061fde6e6659d695f28d60fe4f0413bcb355b0%40%3Ccommits.druid.apache.org%3E", }, { name: "[karaf-issues] 20210810 [jira] [Created] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210810 [jira] [Updated] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210810 [jira] [Commented] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210816 [jira] [Updated] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210816 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.69 artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210817 [jira] [Commented] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210817 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210820 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210824 [jira] [Commented] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210824 [jira] [Resolved] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c%40%3Cissues.karaf.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b211ab92da9591f5%40%3Cdev.kafka.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/rcd6c3a36f1dbc130da1b89d0f320db7040de71661a512695a8d513ac%40%3Cdev.kafka.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-cve-2021-26291/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Maven", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "3.8.1", status: "affected", version: "Apache Maven", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "Apache Maven would like to thank Jonathan Leitschuh for highlighting the need for this change.", }, ], descriptions: [ { lang: "en", value: "Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html", }, ], problemTypes: [ { descriptions: [ { description: "Unexpected Behavior", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-25T16:26:44", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E", }, { name: "[maven-dev] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac6f06d16d139e5e1027c%40%3Cdev.maven.apache.org%3E", }, { name: "[maven-users] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E", }, { name: "[oss-security] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2021/04/23/5", }, { name: "[announce] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee9bac7854d64736%40%3Cannounce.apache.org%3E", }, { name: "[jena-dev] 20210428 FYI: Maven CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra88a0eba7f84658cefcecc0143fd8bbad52c229ee5dfcbfdde7b6457%40%3Cdev.jena.apache.org%3E", }, { name: "[jena-dev] 20210429 Re: FYI: Maven CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a75c8aa2493ea82732381%40%3Cdev.jena.apache.org%3E", }, { name: "[myfaces-dev] 20210506 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #817: build: CVE fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E", }, { name: "[kafka-jira] 20210520 [jira] [Created] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r86e1c81e03f441855f127980e9b3d41939d04a7caea2b7ab718e2288%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-dev] 20210520 [jira] [Created] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/red3bf6cbfd99e36b0c0a4fa1cea1eef1eb300c6bd8f372f497341265%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210520 [GitHub] [kafka] dongjinleekr opened a new pull request #10739: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r340e75c9bb6e8661b89e1cf2c52f4638a18312e57bd884722bc28f52%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210520 [jira] [Assigned] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r78fb6d2cf0ca332cfa43abd4471e75fa6c517ed9cdfcb950bff48d40%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210521 [GitHub] [kafka] omkreddy merged pull request #10739: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r39fa6ec4b7e912d3e04ea68efd23e554ec9c8efa2c96f5b45104fc61%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-dev] 20210521 [jira] [Resolved] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r30e9fcba679d164158cc26236704c351954909c18cb2485d11038aa6%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-commits] 20210521 [kafka] branch 2.6 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc7ae2530063d1cd1cf8e9fa130d10940760f927168d4063d23b8cd0a%40%3Ccommits.kafka.apache.org%3E", }, { name: "[kafka-commits] 20210521 [kafka] branch 2.8 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5ae6aaa8a2ce86145225c3516bb45d315c0454e3765d651527e5df8a%40%3Ccommits.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210521 [jira] [Resolved] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r0a5e4ff2a7ca7ad8595d7683afbaeb3b8788ba974681907f97e7dc8e%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-commits] 20210521 [kafka] branch 2.7 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r86aebd0387ae19b740b3eb28bad83fe6aceca0d6257eaa810a6e0002%40%3Ccommits.kafka.apache.org%3E", }, { name: "[kafka-users] 20210617 vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E", }, { name: "[karaf-issues] 20210718 [jira] [Created] (KARAF-7224) Impact of CVE-2021-26291 on Karaf", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r71bc13669be84c2ff45b74a67929bc2da905c152e12a39b406e3c2a0%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210718 [jira] [Created] (KARAF-7223) Upgrade maven artifacts to mitigate CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r53cd5de57aaa126038c5301d8f518f3defab3c5b1c7e17c97bad08d8%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210719 [jira] [Commented] (KARAF-7224) Impact of CVE-2021-26291 on Karaf", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r52c6cda14dc6315dc79e72d30109f4589e9c6300ef6dc1a019da32d4%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210719 [jira] [Assigned] (KARAF-7224) Impact of CVE-2021-26291 on Karaf", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r74329c671df713f61ae4620ee2452a0443ccad7f33c60e8ed7d21ff9%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210719 [jira] [Assigned] (KARAF-7223) Upgrade maven artifacts to mitigate CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r07a89b32783f73bda6903c1f9aadeb859e5bef0a4daed6d87db8e4a9%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210720 [jira] [Commented] (KARAF-7224) Impact of CVE-2021-26291 on Karaf", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r96cc126d3ee9aa42af9d3bb4baa94828b0a5f656584a50dcc594125f%40%3Cissues.karaf.apache.org%3E", }, { name: "[druid-commits] 20210809 [GitHub] [druid] abhishekagarwal87 opened a new pull request #11562: suppress CVE-2021-26291 on kafka-clients", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra9d984eccfd2ae7726671e025f0296bf03786e5cdf872138110ac29b%40%3Ccommits.druid.apache.org%3E", }, { name: "[kafka-jira] 20210809 [jira] [Commented] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r0d083314aa3934dd4b6e6970d1f6ee50f6eaa9d867deb2cd96788478%40%3Cjira.kafka.apache.org%3E", }, { name: "[druid-commits] 20210809 [GitHub] [druid] abhishekagarwal87 merged pull request #11562: suppress CVE-2021-26291 on kafka-clients", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/re75f8b3dbc5faa1640908f87e644d373e00f8b4e6ba3e2ba4bd2c80b%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20210809 [GitHub] [druid] jihoonson commented on pull request #11562: suppress CVE-2021-26291 on kafka-clients", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r08a401f8c98a99f68d061fde6e6659d695f28d60fe4f0413bcb355b0%40%3Ccommits.druid.apache.org%3E", }, { name: "[karaf-issues] 20210810 [jira] [Created] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210810 [jira] [Updated] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210810 [jira] [Commented] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210816 [jira] [Updated] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210816 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.69 artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210817 [jira] [Commented] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210817 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210820 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210824 [jira] [Commented] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402%40%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210824 [jira] [Resolved] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c%40%3Cissues.karaf.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b211ab92da9591f5%40%3Cdev.kafka.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/rcd6c3a36f1dbc130da1b89d0f320db7040de71661a512695a8d513ac%40%3Cdev.kafka.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-cve-2021-26291/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], source: { defect: [ "MNG-7118", ], discovery: "UNKNOWN", }, title: "block repositories using http by default", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-26291", STATE: "PUBLIC", TITLE: "block repositories using http by default", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Maven", version: { version_data: [ { version_affected: "<=", version_name: "Apache Maven", version_value: "3.8.1", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "Apache Maven would like to thank Jonathan Leitschuh for highlighting the need for this change.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Unexpected Behavior", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E", }, { name: "[maven-dev] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac6f06d16d139e5e1027c@%3Cdev.maven.apache.org%3E", }, { name: "[maven-users] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00@%3Cusers.maven.apache.org%3E", }, { name: "[oss-security] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2021/04/23/5", }, { name: "[announce] 20210423 CVE-2021-26291: Apache Maven: block repositories using http by default", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee9bac7854d64736@%3Cannounce.apache.org%3E", }, { name: "[jena-dev] 20210428 FYI: Maven CVE-2021-26291", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra88a0eba7f84658cefcecc0143fd8bbad52c229ee5dfcbfdde7b6457@%3Cdev.jena.apache.org%3E", }, { name: "[jena-dev] 20210429 Re: FYI: Maven CVE-2021-26291", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a75c8aa2493ea82732381@%3Cdev.jena.apache.org%3E", }, { name: "[myfaces-dev] 20210506 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #817: build: CVE fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594@%3Cdev.myfaces.apache.org%3E", }, { name: "[kafka-jira] 20210520 [jira] [Created] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r86e1c81e03f441855f127980e9b3d41939d04a7caea2b7ab718e2288@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-dev] 20210520 [jira] [Created] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291", refsource: "MLIST", url: "https://lists.apache.org/thread.html/red3bf6cbfd99e36b0c0a4fa1cea1eef1eb300c6bd8f372f497341265@%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210520 [GitHub] [kafka] dongjinleekr opened a new pull request #10739: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r340e75c9bb6e8661b89e1cf2c52f4638a18312e57bd884722bc28f52@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210520 [jira] [Assigned] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r78fb6d2cf0ca332cfa43abd4471e75fa6c517ed9cdfcb950bff48d40@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210521 [GitHub] [kafka] omkreddy merged pull request #10739: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r39fa6ec4b7e912d3e04ea68efd23e554ec9c8efa2c96f5b45104fc61@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-dev] 20210521 [jira] [Resolved] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r30e9fcba679d164158cc26236704c351954909c18cb2485d11038aa6@%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-commits] 20210521 [kafka] branch 2.6 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc7ae2530063d1cd1cf8e9fa130d10940760f927168d4063d23b8cd0a@%3Ccommits.kafka.apache.org%3E", }, { name: "[kafka-commits] 20210521 [kafka] branch 2.8 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5ae6aaa8a2ce86145225c3516bb45d315c0454e3765d651527e5df8a@%3Ccommits.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210521 [jira] [Resolved] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r0a5e4ff2a7ca7ad8595d7683afbaeb3b8788ba974681907f97e7dc8e@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-commits] 20210521 [kafka] branch 2.7 updated: KAFKA-12820: Upgrade maven-artifact dependency to resolve CVE-2021-26291", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r86aebd0387ae19b740b3eb28bad83fe6aceca0d6257eaa810a6e0002@%3Ccommits.kafka.apache.org%3E", }, { name: "[kafka-users] 20210617 vulnerabilities", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E", }, { name: "[karaf-issues] 20210718 [jira] [Created] (KARAF-7224) Impact of CVE-2021-26291 on Karaf", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r71bc13669be84c2ff45b74a67929bc2da905c152e12a39b406e3c2a0@%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210718 [jira] [Created] (KARAF-7223) Upgrade maven artifacts to mitigate CVE-2021-26291", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r53cd5de57aaa126038c5301d8f518f3defab3c5b1c7e17c97bad08d8@%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210719 [jira] [Commented] (KARAF-7224) Impact of CVE-2021-26291 on Karaf", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r52c6cda14dc6315dc79e72d30109f4589e9c6300ef6dc1a019da32d4@%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210719 [jira] [Assigned] (KARAF-7224) Impact of CVE-2021-26291 on Karaf", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r74329c671df713f61ae4620ee2452a0443ccad7f33c60e8ed7d21ff9@%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210719 [jira] [Assigned] (KARAF-7223) Upgrade maven artifacts to mitigate CVE-2021-26291", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r07a89b32783f73bda6903c1f9aadeb859e5bef0a4daed6d87db8e4a9@%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210720 [jira] [Commented] (KARAF-7224) Impact of CVE-2021-26291 on Karaf", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r96cc126d3ee9aa42af9d3bb4baa94828b0a5f656584a50dcc594125f@%3Cissues.karaf.apache.org%3E", }, { name: "[druid-commits] 20210809 [GitHub] [druid] abhishekagarwal87 opened a new pull request #11562: suppress CVE-2021-26291 on kafka-clients", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra9d984eccfd2ae7726671e025f0296bf03786e5cdf872138110ac29b@%3Ccommits.druid.apache.org%3E", }, { name: "[kafka-jira] 20210809 [jira] [Commented] (KAFKA-12820) Upgrade maven-artifact dependency to resolve CVE-2021-26291", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r0d083314aa3934dd4b6e6970d1f6ee50f6eaa9d867deb2cd96788478@%3Cjira.kafka.apache.org%3E", }, { name: "[druid-commits] 20210809 [GitHub] [druid] abhishekagarwal87 merged pull request #11562: suppress CVE-2021-26291 on kafka-clients", refsource: "MLIST", url: "https://lists.apache.org/thread.html/re75f8b3dbc5faa1640908f87e644d373e00f8b4e6ba3e2ba4bd2c80b@%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20210809 [GitHub] [druid] jihoonson commented on pull request #11562: suppress CVE-2021-26291 on kafka-clients", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r08a401f8c98a99f68d061fde6e6659d695f28d60fe4f0413bcb355b0@%3Ccommits.druid.apache.org%3E", }, { name: "[karaf-issues] 20210810 [jira] [Created] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31@%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210810 [jira] [Updated] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2@%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210810 [jira] [Commented] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94@%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210816 [jira] [Updated] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21@%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210816 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.69 artifacts to mitigate CVE-2020-28052", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe@%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210817 [jira] [Commented] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc@%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210817 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013@%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210820 [jira] [Updated] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b@%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210824 [jira] [Commented] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402@%3Cissues.karaf.apache.org%3E", }, { name: "[karaf-issues] 20210824 [jira] [Resolved] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c@%3Cissues.karaf.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { name: "https://lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b211ab92da9591f5@%3Cdev.kafka.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b211ab92da9591f5@%3Cdev.kafka.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/rcd6c3a36f1dbc130da1b89d0f320db7040de71661a512695a8d513ac@%3Cdev.kafka.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/rcd6c3a36f1dbc130da1b89d0f320db7040de71661a512695a8d513ac@%3Cdev.kafka.apache.org%3E", }, { name: "https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-cve-2021-26291/", refsource: "MISC", url: "https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-cve-2021-26291/", }, { name: "https://www.oracle.com/security-alerts/cpujul2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], }, source: { defect: [ "MNG-7118", ], discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-26291", datePublished: "2021-04-23T14:20:13", dateReserved: "2021-01-27T00:00:00", dateUpdated: "2024-08-03T20:19:20.126Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-13956
Vulnerability from cvelistv5
Published
2020-12-02 16:20
Modified
2024-08-04 12:32
Severity ?
EPSS score ?
Summary
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache HttpClient |
Version: 4.5.12 and prior, 5.0.2 and prior |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T12:32:14.610Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6dab7da30f8bf075f79ee189e33b45a197502e2676481bb8787fc0d7%40%3Cdev.hc.apache.org%3E", }, { name: "[ranger-dev] 20201204 [jira] [Assigned] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf7ca60f78f05b772cc07d27e31bcd112f9910a05caf9095e38ee150f%40%3Cdev.ranger.apache.org%3E", }, { name: "[ranger-dev] 20201204 [jira] [Updated] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rcced7ed3237c29cd19c1e9bf465d0038b8b2e967b99fc283db7ca553%40%3Cdev.ranger.apache.org%3E", }, { name: "[ranger-dev] 20201215 [jira] [Updated] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r63296c45d5d84447babaf39bd1487329d8a80d8d563e67a4b6f3d8a7%40%3Cdev.ranger.apache.org%3E", }, { name: "[ranger-dev] 20201215 [jira] [Commented] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r12cb62751b35bdcda0ae2a08b67877d665a1f4d41eee0fa7367169e0%40%3Cdev.ranger.apache.org%3E", }, { name: "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[ranger-dev] 20201216 [jira] [Commented] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r34178ab6ef106bc940665fd3f4ba5026fac3603b3fa2aefafa0b619d%40%3Cdev.ranger.apache.org%3E", }, { name: "[lucene-solr-user] 20201229 Upgrade httpclient version due to CVE-2020-13956?", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb725052404fabffbe093c83b2c46f3f87e12c3193a82379afbc529f8%40%3Csolr-user.lucene.apache.org%3E", }, { name: "[turbine-commits] 20210203 svn commit: r1886168 - in /turbine/core/trunk: ./ conf/ conf/test/ src/java/org/apache/turbine/services/urlmapper/ src/test/org/apache/turbine/services/urlmapper/ src/test/org/apache/turbine/services/urlmapper/model/ xdocs/howto/", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381%40%3Ccommits.turbine.apache.org%3E", }, { name: "[hive-issues] 20210301 [jira] [Updated] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rfc00884c7b7ca878297bffe45fcb742c362b00b26ba37070706d44c3%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20210301 [jira] [Assigned] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5fec9c1d67f928179adf484b01e7becd7c0a6fdfe3a08f92ea743b90%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-gitbox] 20210301 [GitHub] [hive] hsnusonic opened a new pull request #2032: HIVE-24837 Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2dc7930b43eadc78220d269b79e13ecd387e4bee52db67b2f47d4303%40%3Cgitbox.hive.apache.org%3E", }, { name: "[hive-dev] 20210301 [jira] [Created] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r043a75acdeb52b15dd5e9524cdadef4202e6a5228644206acf9363f9%40%3Cdev.hive.apache.org%3E", }, { name: "[hive-issues] 20210301 [jira] [Work logged] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd5ab56beb2ac6879f6ab427bc4e5f7691aed8362d17b713f61779858%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-gitbox] 20210302 [GitHub] [hive] hsnusonic closed pull request #2032: HIVE-24837 Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rcd9ad5dda60c82ab0d0c9bd3e9cb1dc740804451fc20c7f451ef5cc4%40%3Cgitbox.hive.apache.org%3E", }, { name: "[solr-issues] 20210316 [jira] [Resolved] (SOLR-15270) upgrade httpclient to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/re504acd4d63b8df2a7353658f45c9a3137e5f80e41cf7de50058b2c1%40%3Cissues.solr.apache.org%3E", }, { name: "[solr-issues] 20210316 [jira] [Created] (SOLR-15269) upgrade httpclient to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5de3d3808e7b5028df966e45115e006456c4e8931dc1e29036f17927%40%3Cissues.solr.apache.org%3E", }, { name: "[solr-issues] 20210316 [jira] [Created] (SOLR-15270) upgrade httpclient to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rae14ae25ff4a60251e3ba2629c082c5ba3851dfd4d21218b99b56652%40%3Cissues.solr.apache.org%3E", }, { name: "[maven-issues] 20210530 [jira] [Updated] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r03bbc318c81be21f5c8a9b85e34f2ecc741aa804a8e43b0ef2c37749%40%3Cissues.maven.apache.org%3E", }, { name: "[maven-issues] 20210530 [jira] [Resolved] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra539f20ef0fb0c27ee39945b5f56bf162e5c13d1c60f7344dab8de3b%40%3Cissues.maven.apache.org%3E", }, { name: "[maven-issues] 20210530 [jira] [Closed] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8aa1e5c343b89aec5b69961471950e862f15246cb6392910161c389b%40%3Cissues.maven.apache.org%3E", }, { name: "[drill-issues] 20210604 [jira] [Commented] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r06cf3ca5c8ceb94b39cd24a73d4e96153b485a7dac88444dd876accb%40%3Cissues.drill.apache.org%3E", }, { name: "[drill-dev] 20210604 [GitHub] [drill] luocooong opened a new pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb4ba262d6f08ab9cf8b1ebbcd9b00b0368ffe90dad7ad7918b4b56fc%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20210604 [jira] [Created] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r55b2a1d1e9b1ec9db792b93da8f0f99a4fd5a5310b02673359d9b4d1%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-issues] 20210604 [jira] [Created] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rea3dbf633dde5008d38bf6600a3738b9216e733e03f9ff7becf79625%40%3Cissues.drill.apache.org%3E", }, { name: "[drill-dev] 20210604 [GitHub] [drill] cgivre commented on pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc3739e0ad4bcf1888c6925233bfc37dd71156bbc8416604833095c42%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20210604 [GitHub] [drill] laurentgo merged pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9e52a6c72c8365000ecd035e48cc9fee5a677a150350d4420c46443d%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-issues] 20210604 [jira] [Resolved] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rad6222134183046f3928f733bf680919e0c390739bfbfe6c90049673%40%3Cissues.drill.apache.org%3E", }, { name: "[drill-dev] 20210604 [jira] [Resolved] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r549ac8c159bf0c568c19670bedeb8d7c0074beded951d34b1c1d0d05%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-commits] 20210604 [drill] branch master updated: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956 (#2250)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6eb2dae157dbc9af1f30d1f64e9c60d4ebef618f3dce4a0e32d6ea4d%40%3Ccommits.drill.apache.org%3E", }, { name: "[drill-dev] 20210604 [GitHub] [drill] luocooong commented on pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/reef569c2419705754a3acf42b5f19b2a158153cef0e448158bc54917%40%3Cdev.drill.apache.org%3E", }, { name: "[creadur-commits] 20210608 [jira] [Work started] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r3f740e4c38bba1face49078aa5cbeeb558c27be601cc9712ad2dcd1e%40%3Ccommits.creadur.apache.org%3E", }, { name: "[creadur-commits] 20210608 [jira] [Resolved] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rfb35f6db9ba1f1e061b63769a4eff5abadcc254ebfefc280e5a0dcf1%40%3Ccommits.creadur.apache.org%3E", }, { name: "[creadur-commits] 20210608 [jira] [Commented] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2a03dc210231d7e852ef73015f71792ac0fcaca6cccc024c522ef17d%40%3Ccommits.creadur.apache.org%3E", }, { name: "[creadur-commits] 20210608 [jira] [Created] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r34efec51cb817397ccf9f86e25a75676d435ba5f83ee7b2eabdad707%40%3Ccommits.creadur.apache.org%3E", }, { name: "[creadur-commits] 20210608 [jira] [Assigned] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r70c429923100c5a4fae8e5bc71c8a2d39af3de4888f50a0ac3755e6f%40%3Ccommits.creadur.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { name: "[maven-issues] 20210621 [jira] [Assigned] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc990e2462ec32b09523deafb2c73606208599e196fa2d7f50bdbc587%40%3Cissues.maven.apache.org%3E", }, { name: "[creadur-dev] 20210621 [jira] [Updated] (RAT-275) Update httpclient to fix CVE-2020-13956 once a new doxia-core release is available", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r132e4c6a560cfc519caa1aaee63bdd4036327610eadbd89f76dd5457%40%3Cdev.creadur.apache.org%3E", }, { name: "[solr-issues] 20210623 [jira] [Updated] (SOLR-15270) upgrade httpclient to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6a3cda38d050ebe13c1bc9a28d0a8ec38945095d07eca49046bcb89f%40%3Cissues.solr.apache.org%3E", }, { name: "[solr-issues] 20210623 [jira] [Updated] (SOLR-15269) upgrade httpclient to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc505fee574fe8d18f9b0c655a4d120b0ae21bb6a73b96003e1d9be35%40%3Cissues.solr.apache.org%3E", }, { name: "[jackrabbit-dev] 20210706 [GitHub] [jackrabbit-oak] reschke commented on pull request #310: OAK-9482: upgrade httpclient to 4.5.13", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5b55f65c123a7481104d663a915ec45a0d103e6aaa03f42ed1c07a89%40%3Cdev.jackrabbit.apache.org%3E", }, { name: "[jackrabbit-dev] 20210706 [GitHub] [jackrabbit-oak] reschke removed a comment on pull request #310: OAK-9482: upgrade httpclient to 4.5.13", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc0863892ccfd9fd0d0ae10091f24ee769fb39b8957fe4ebabfc11f17%40%3Cdev.jackrabbit.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "[solr-issues] 20210912 [jira] [Updated] (SOLR-15269) upgrade httpclient to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rfbedcb586a1e7dfce87ee03c720e583fc2ceeafa05f35c542cecc624%40%3Cissues.solr.apache.org%3E", }, { name: "[bookkeeper-issues] 20210914 [GitHub] [bookkeeper] nicoloboschi opened a new pull request #2793: Upgrade httpclient from 4.5.5 to 4.5.13 to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r87ddc09295c27f25471269ad0a79433a91224045988b88f0413a97ec%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[bookkeeper-issues] 20210917 [GitHub] [bookkeeper] nicoloboschi commented on pull request #2793: Upgrade httpclient from 4.5.5 to 4.5.13 to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf03228972e56cb4a03e6d9558188c2938078cf3ceb23a3fead87c9ca%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[lucene-issues] 20210921 [GitHub] [lucene-solr] ventry1990 opened a new pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2835543ef0f91adcc47da72389b816e36936f584c7be584d2314fac3%40%3Cissues.lucene.apache.org%3E", }, { name: "[lucene-issues] 20210921 [GitHub] [lucene-solr] madrob commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf43d17ed0d1fb4fb79036b582810ef60b18b1ef3add0d5dea825af1e%40%3Cissues.lucene.apache.org%3E", }, { name: "[lucene-issues] 20210921 [GitHub] [lucene-solr] ventry1990 commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc5c6ccb86d2afe46bbd4b71573f0448dc1f87bbcd5a0d8c7f8f904b2%40%3Cissues.lucene.apache.org%3E", }, { name: "[lucene-issues] 20211007 [GitHub] [lucene-solr] madrob commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6d672b46622842e565e00f6ef6bef83eb55d8792aac2bee75bff9a2a%40%3Cissues.lucene.apache.org%3E", }, { name: "[lucene-issues] 20211009 [GitHub] [lucene-solr] ventry1990 closed pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf4db88c22e1be9eb60c7dc623d0528642c045fb196a24774ac2fa3a3%40%3Cissues.lucene.apache.org%3E", }, { name: "[lucene-issues] 20211009 [GitHub] [lucene-solr] ventry1990 commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ree942561f4620313c75982a4e5f3b74fe6f7062b073210779648eec2%40%3Cissues.lucene.apache.org%3E", }, { name: "[lucene-issues] 20211009 [GitHub] [lucene-solr] ventry1990 opened a new pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r3cecd59fba74404cbf4eb430135e1080897fb376f111406a78bed13a%40%3Cissues.lucene.apache.org%3E", }, { name: "[solr-issues] 20211011 [jira] [Commented] (SOLR-15269) upgrade httpclient to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r0bebe6f9808ac7bdf572873b4fa96a29c6398c90dab29f131f3ebffe%40%3Cissues.solr.apache.org%3E", }, { name: "[solr-issues] 20211011 [jira] [Resolved] (SOLR-15269) upgrade httpclient to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r4850b3fbaea02fde2886e461005e4af8d37c80a48b3ce2a6edca0e30%40%3Cissues.solr.apache.org%3E", }, { name: "[lucene-issues] 20211011 [GitHub] [lucene-solr] madrob merged pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra8bc6b61c5df301a6fe5a716315528ecd17ccb8a7f907e24a47a1a5e%40%3Cissues.lucene.apache.org%3E", }, { name: "[solr-issues] 20211019 [jira] [Closed] (SOLR-15269) upgrade httpclient to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r0a75b8f0f72f3e18442dc56d33f3827b905f2fe5b7ba48997436f5d1%40%3Cissues.solr.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "[ranger-dev] 20211028 [jira] [Commented] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r69a94e2f302d1b778bdfefe90fcb4b8c50b226438c3c8c1d0de85a19%40%3Cdev.ranger.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220210-0002/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache HttpClient", vendor: "n/a", versions: [ { status: "affected", version: "4.5.12 and prior, 5.0.2 and prior", }, ], }, ], descriptions: [ { lang: "en", value: "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", }, ], problemTypes: [ { descriptions: [ { description: "Improper Input Validation", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-04-19T23:21:27", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r6dab7da30f8bf075f79ee189e33b45a197502e2676481bb8787fc0d7%40%3Cdev.hc.apache.org%3E", }, { name: "[ranger-dev] 20201204 [jira] [Assigned] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf7ca60f78f05b772cc07d27e31bcd112f9910a05caf9095e38ee150f%40%3Cdev.ranger.apache.org%3E", }, { name: "[ranger-dev] 20201204 [jira] [Updated] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rcced7ed3237c29cd19c1e9bf465d0038b8b2e967b99fc283db7ca553%40%3Cdev.ranger.apache.org%3E", }, { name: "[ranger-dev] 20201215 [jira] [Updated] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r63296c45d5d84447babaf39bd1487329d8a80d8d563e67a4b6f3d8a7%40%3Cdev.ranger.apache.org%3E", }, { name: "[ranger-dev] 20201215 [jira] [Commented] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r12cb62751b35bdcda0ae2a08b67877d665a1f4d41eee0fa7367169e0%40%3Cdev.ranger.apache.org%3E", }, { name: "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[ranger-dev] 20201216 [jira] [Commented] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r34178ab6ef106bc940665fd3f4ba5026fac3603b3fa2aefafa0b619d%40%3Cdev.ranger.apache.org%3E", }, { name: "[lucene-solr-user] 20201229 Upgrade httpclient version due to CVE-2020-13956?", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb725052404fabffbe093c83b2c46f3f87e12c3193a82379afbc529f8%40%3Csolr-user.lucene.apache.org%3E", }, { name: "[turbine-commits] 20210203 svn commit: r1886168 - in /turbine/core/trunk: ./ conf/ conf/test/ src/java/org/apache/turbine/services/urlmapper/ src/test/org/apache/turbine/services/urlmapper/ src/test/org/apache/turbine/services/urlmapper/model/ xdocs/howto/", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381%40%3Ccommits.turbine.apache.org%3E", }, { name: "[hive-issues] 20210301 [jira] [Updated] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rfc00884c7b7ca878297bffe45fcb742c362b00b26ba37070706d44c3%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20210301 [jira] [Assigned] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5fec9c1d67f928179adf484b01e7becd7c0a6fdfe3a08f92ea743b90%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-gitbox] 20210301 [GitHub] [hive] hsnusonic opened a new pull request #2032: HIVE-24837 Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2dc7930b43eadc78220d269b79e13ecd387e4bee52db67b2f47d4303%40%3Cgitbox.hive.apache.org%3E", }, { name: "[hive-dev] 20210301 [jira] [Created] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r043a75acdeb52b15dd5e9524cdadef4202e6a5228644206acf9363f9%40%3Cdev.hive.apache.org%3E", }, { name: "[hive-issues] 20210301 [jira] [Work logged] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd5ab56beb2ac6879f6ab427bc4e5f7691aed8362d17b713f61779858%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-gitbox] 20210302 [GitHub] [hive] hsnusonic closed pull request #2032: HIVE-24837 Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rcd9ad5dda60c82ab0d0c9bd3e9cb1dc740804451fc20c7f451ef5cc4%40%3Cgitbox.hive.apache.org%3E", }, { name: "[solr-issues] 20210316 [jira] [Resolved] (SOLR-15270) upgrade httpclient to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/re504acd4d63b8df2a7353658f45c9a3137e5f80e41cf7de50058b2c1%40%3Cissues.solr.apache.org%3E", }, { name: "[solr-issues] 20210316 [jira] [Created] (SOLR-15269) upgrade httpclient to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5de3d3808e7b5028df966e45115e006456c4e8931dc1e29036f17927%40%3Cissues.solr.apache.org%3E", }, { name: "[solr-issues] 20210316 [jira] [Created] (SOLR-15270) upgrade httpclient to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rae14ae25ff4a60251e3ba2629c082c5ba3851dfd4d21218b99b56652%40%3Cissues.solr.apache.org%3E", }, { name: "[maven-issues] 20210530 [jira] [Updated] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r03bbc318c81be21f5c8a9b85e34f2ecc741aa804a8e43b0ef2c37749%40%3Cissues.maven.apache.org%3E", }, { name: "[maven-issues] 20210530 [jira] [Resolved] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra539f20ef0fb0c27ee39945b5f56bf162e5c13d1c60f7344dab8de3b%40%3Cissues.maven.apache.org%3E", }, { name: "[maven-issues] 20210530 [jira] [Closed] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r8aa1e5c343b89aec5b69961471950e862f15246cb6392910161c389b%40%3Cissues.maven.apache.org%3E", }, { name: "[drill-issues] 20210604 [jira] [Commented] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r06cf3ca5c8ceb94b39cd24a73d4e96153b485a7dac88444dd876accb%40%3Cissues.drill.apache.org%3E", }, { name: "[drill-dev] 20210604 [GitHub] [drill] luocooong opened a new pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb4ba262d6f08ab9cf8b1ebbcd9b00b0368ffe90dad7ad7918b4b56fc%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20210604 [jira] [Created] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r55b2a1d1e9b1ec9db792b93da8f0f99a4fd5a5310b02673359d9b4d1%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-issues] 20210604 [jira] [Created] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rea3dbf633dde5008d38bf6600a3738b9216e733e03f9ff7becf79625%40%3Cissues.drill.apache.org%3E", }, { name: "[drill-dev] 20210604 [GitHub] [drill] cgivre commented on pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc3739e0ad4bcf1888c6925233bfc37dd71156bbc8416604833095c42%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20210604 [GitHub] [drill] laurentgo merged pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9e52a6c72c8365000ecd035e48cc9fee5a677a150350d4420c46443d%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-issues] 20210604 [jira] [Resolved] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rad6222134183046f3928f733bf680919e0c390739bfbfe6c90049673%40%3Cissues.drill.apache.org%3E", }, { name: "[drill-dev] 20210604 [jira] [Resolved] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r549ac8c159bf0c568c19670bedeb8d7c0074beded951d34b1c1d0d05%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-commits] 20210604 [drill] branch master updated: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956 (#2250)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r6eb2dae157dbc9af1f30d1f64e9c60d4ebef618f3dce4a0e32d6ea4d%40%3Ccommits.drill.apache.org%3E", }, { name: "[drill-dev] 20210604 [GitHub] [drill] luocooong commented on pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/reef569c2419705754a3acf42b5f19b2a158153cef0e448158bc54917%40%3Cdev.drill.apache.org%3E", }, { name: "[creadur-commits] 20210608 [jira] [Work started] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r3f740e4c38bba1face49078aa5cbeeb558c27be601cc9712ad2dcd1e%40%3Ccommits.creadur.apache.org%3E", }, { name: "[creadur-commits] 20210608 [jira] [Resolved] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rfb35f6db9ba1f1e061b63769a4eff5abadcc254ebfefc280e5a0dcf1%40%3Ccommits.creadur.apache.org%3E", }, { name: "[creadur-commits] 20210608 [jira] [Commented] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2a03dc210231d7e852ef73015f71792ac0fcaca6cccc024c522ef17d%40%3Ccommits.creadur.apache.org%3E", }, { name: "[creadur-commits] 20210608 [jira] [Created] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r34efec51cb817397ccf9f86e25a75676d435ba5f83ee7b2eabdad707%40%3Ccommits.creadur.apache.org%3E", }, { name: "[creadur-commits] 20210608 [jira] [Assigned] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r70c429923100c5a4fae8e5bc71c8a2d39af3de4888f50a0ac3755e6f%40%3Ccommits.creadur.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { name: "[maven-issues] 20210621 [jira] [Assigned] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc990e2462ec32b09523deafb2c73606208599e196fa2d7f50bdbc587%40%3Cissues.maven.apache.org%3E", }, { name: "[creadur-dev] 20210621 [jira] [Updated] (RAT-275) Update httpclient to fix CVE-2020-13956 once a new doxia-core release is available", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r132e4c6a560cfc519caa1aaee63bdd4036327610eadbd89f76dd5457%40%3Cdev.creadur.apache.org%3E", }, { name: "[solr-issues] 20210623 [jira] [Updated] (SOLR-15270) upgrade httpclient to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r6a3cda38d050ebe13c1bc9a28d0a8ec38945095d07eca49046bcb89f%40%3Cissues.solr.apache.org%3E", }, { name: "[solr-issues] 20210623 [jira] [Updated] (SOLR-15269) upgrade httpclient to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc505fee574fe8d18f9b0c655a4d120b0ae21bb6a73b96003e1d9be35%40%3Cissues.solr.apache.org%3E", }, { name: "[jackrabbit-dev] 20210706 [GitHub] [jackrabbit-oak] reschke commented on pull request #310: OAK-9482: upgrade httpclient to 4.5.13", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5b55f65c123a7481104d663a915ec45a0d103e6aaa03f42ed1c07a89%40%3Cdev.jackrabbit.apache.org%3E", }, { name: "[jackrabbit-dev] 20210706 [GitHub] [jackrabbit-oak] reschke removed a comment on pull request #310: OAK-9482: upgrade httpclient to 4.5.13", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc0863892ccfd9fd0d0ae10091f24ee769fb39b8957fe4ebabfc11f17%40%3Cdev.jackrabbit.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "[solr-issues] 20210912 [jira] [Updated] (SOLR-15269) upgrade httpclient to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rfbedcb586a1e7dfce87ee03c720e583fc2ceeafa05f35c542cecc624%40%3Cissues.solr.apache.org%3E", }, { name: "[bookkeeper-issues] 20210914 [GitHub] [bookkeeper] nicoloboschi opened a new pull request #2793: Upgrade httpclient from 4.5.5 to 4.5.13 to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r87ddc09295c27f25471269ad0a79433a91224045988b88f0413a97ec%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[bookkeeper-issues] 20210917 [GitHub] [bookkeeper] nicoloboschi commented on pull request #2793: Upgrade httpclient from 4.5.5 to 4.5.13 to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf03228972e56cb4a03e6d9558188c2938078cf3ceb23a3fead87c9ca%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[lucene-issues] 20210921 [GitHub] [lucene-solr] ventry1990 opened a new pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2835543ef0f91adcc47da72389b816e36936f584c7be584d2314fac3%40%3Cissues.lucene.apache.org%3E", }, { name: "[lucene-issues] 20210921 [GitHub] [lucene-solr] madrob commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf43d17ed0d1fb4fb79036b582810ef60b18b1ef3add0d5dea825af1e%40%3Cissues.lucene.apache.org%3E", }, { name: "[lucene-issues] 20210921 [GitHub] [lucene-solr] ventry1990 commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc5c6ccb86d2afe46bbd4b71573f0448dc1f87bbcd5a0d8c7f8f904b2%40%3Cissues.lucene.apache.org%3E", }, { name: "[lucene-issues] 20211007 [GitHub] [lucene-solr] madrob commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r6d672b46622842e565e00f6ef6bef83eb55d8792aac2bee75bff9a2a%40%3Cissues.lucene.apache.org%3E", }, { name: "[lucene-issues] 20211009 [GitHub] [lucene-solr] ventry1990 closed pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf4db88c22e1be9eb60c7dc623d0528642c045fb196a24774ac2fa3a3%40%3Cissues.lucene.apache.org%3E", }, { name: "[lucene-issues] 20211009 [GitHub] [lucene-solr] ventry1990 commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ree942561f4620313c75982a4e5f3b74fe6f7062b073210779648eec2%40%3Cissues.lucene.apache.org%3E", }, { name: "[lucene-issues] 20211009 [GitHub] [lucene-solr] ventry1990 opened a new pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r3cecd59fba74404cbf4eb430135e1080897fb376f111406a78bed13a%40%3Cissues.lucene.apache.org%3E", }, { name: "[solr-issues] 20211011 [jira] [Commented] (SOLR-15269) upgrade httpclient to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r0bebe6f9808ac7bdf572873b4fa96a29c6398c90dab29f131f3ebffe%40%3Cissues.solr.apache.org%3E", }, { name: "[solr-issues] 20211011 [jira] [Resolved] (SOLR-15269) upgrade httpclient to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r4850b3fbaea02fde2886e461005e4af8d37c80a48b3ce2a6edca0e30%40%3Cissues.solr.apache.org%3E", }, { name: "[lucene-issues] 20211011 [GitHub] [lucene-solr] madrob merged pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra8bc6b61c5df301a6fe5a716315528ecd17ccb8a7f907e24a47a1a5e%40%3Cissues.lucene.apache.org%3E", }, { name: "[solr-issues] 20211019 [jira] [Closed] (SOLR-15269) upgrade httpclient to address CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r0a75b8f0f72f3e18442dc56d33f3827b905f2fe5b7ba48997436f5d1%40%3Cissues.solr.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "[ranger-dev] 20211028 [jira] [Commented] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r69a94e2f302d1b778bdfefe90fcb4b8c50b226438c3c8c1d0de85a19%40%3Cdev.ranger.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20220210-0002/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2020-13956", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache HttpClient", version: { version_data: [ { version_value: "4.5.12 and prior, 5.0.2 and prior", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Improper Input Validation", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/r6dab7da30f8bf075f79ee189e33b45a197502e2676481bb8787fc0d7%40%3Cdev.hc.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r6dab7da30f8bf075f79ee189e33b45a197502e2676481bb8787fc0d7%40%3Cdev.hc.apache.org%3E", }, { name: "[ranger-dev] 20201204 [jira] [Assigned] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf7ca60f78f05b772cc07d27e31bcd112f9910a05caf9095e38ee150f@%3Cdev.ranger.apache.org%3E", }, { name: "[ranger-dev] 20201204 [jira] [Updated] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rcced7ed3237c29cd19c1e9bf465d0038b8b2e967b99fc283db7ca553@%3Cdev.ranger.apache.org%3E", }, { name: "[ranger-dev] 20201215 [jira] [Updated] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r63296c45d5d84447babaf39bd1487329d8a80d8d563e67a4b6f3d8a7@%3Cdev.ranger.apache.org%3E", }, { name: "[ranger-dev] 20201215 [jira] [Commented] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r12cb62751b35bdcda0ae2a08b67877d665a1f4d41eee0fa7367169e0@%3Cdev.ranger.apache.org%3E", }, { name: "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E", }, { name: "[ranger-dev] 20201216 [jira] [Commented] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r34178ab6ef106bc940665fd3f4ba5026fac3603b3fa2aefafa0b619d@%3Cdev.ranger.apache.org%3E", }, { name: "[lucene-solr-user] 20201229 Upgrade httpclient version due to CVE-2020-13956?", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb725052404fabffbe093c83b2c46f3f87e12c3193a82379afbc529f8@%3Csolr-user.lucene.apache.org%3E", }, { name: "[turbine-commits] 20210203 svn commit: r1886168 - in /turbine/core/trunk: ./ conf/ conf/test/ src/java/org/apache/turbine/services/urlmapper/ src/test/org/apache/turbine/services/urlmapper/ src/test/org/apache/turbine/services/urlmapper/model/ xdocs/howto/", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E", }, { name: "[hive-issues] 20210301 [jira] [Updated] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rfc00884c7b7ca878297bffe45fcb742c362b00b26ba37070706d44c3@%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20210301 [jira] [Assigned] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5fec9c1d67f928179adf484b01e7becd7c0a6fdfe3a08f92ea743b90@%3Cissues.hive.apache.org%3E", }, { name: "[hive-gitbox] 20210301 [GitHub] [hive] hsnusonic opened a new pull request #2032: HIVE-24837 Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2dc7930b43eadc78220d269b79e13ecd387e4bee52db67b2f47d4303@%3Cgitbox.hive.apache.org%3E", }, { name: "[hive-dev] 20210301 [jira] [Created] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r043a75acdeb52b15dd5e9524cdadef4202e6a5228644206acf9363f9@%3Cdev.hive.apache.org%3E", }, { name: "[hive-issues] 20210301 [jira] [Work logged] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd5ab56beb2ac6879f6ab427bc4e5f7691aed8362d17b713f61779858@%3Cissues.hive.apache.org%3E", }, { name: "[hive-gitbox] 20210302 [GitHub] [hive] hsnusonic closed pull request #2032: HIVE-24837 Upgrade httpclient to 4.5.13+ due to CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rcd9ad5dda60c82ab0d0c9bd3e9cb1dc740804451fc20c7f451ef5cc4@%3Cgitbox.hive.apache.org%3E", }, { name: "[solr-issues] 20210316 [jira] [Resolved] (SOLR-15270) upgrade httpclient to address CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/re504acd4d63b8df2a7353658f45c9a3137e5f80e41cf7de50058b2c1@%3Cissues.solr.apache.org%3E", }, { name: "[solr-issues] 20210316 [jira] [Created] (SOLR-15269) upgrade httpclient to address CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5de3d3808e7b5028df966e45115e006456c4e8931dc1e29036f17927@%3Cissues.solr.apache.org%3E", }, { name: "[solr-issues] 20210316 [jira] [Created] (SOLR-15270) upgrade httpclient to address CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rae14ae25ff4a60251e3ba2629c082c5ba3851dfd4d21218b99b56652@%3Cissues.solr.apache.org%3E", }, { name: "[maven-issues] 20210530 [jira] [Updated] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r03bbc318c81be21f5c8a9b85e34f2ecc741aa804a8e43b0ef2c37749@%3Cissues.maven.apache.org%3E", }, { name: "[maven-issues] 20210530 [jira] [Resolved] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra539f20ef0fb0c27ee39945b5f56bf162e5c13d1c60f7344dab8de3b@%3Cissues.maven.apache.org%3E", }, { name: "[maven-issues] 20210530 [jira] [Closed] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r8aa1e5c343b89aec5b69961471950e862f15246cb6392910161c389b@%3Cissues.maven.apache.org%3E", }, { name: "[drill-issues] 20210604 [jira] [Commented] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r06cf3ca5c8ceb94b39cd24a73d4e96153b485a7dac88444dd876accb@%3Cissues.drill.apache.org%3E", }, { name: "[drill-dev] 20210604 [GitHub] [drill] luocooong opened a new pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb4ba262d6f08ab9cf8b1ebbcd9b00b0368ffe90dad7ad7918b4b56fc@%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20210604 [jira] [Created] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r55b2a1d1e9b1ec9db792b93da8f0f99a4fd5a5310b02673359d9b4d1@%3Cdev.drill.apache.org%3E", }, { name: "[drill-issues] 20210604 [jira] [Created] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rea3dbf633dde5008d38bf6600a3738b9216e733e03f9ff7becf79625@%3Cissues.drill.apache.org%3E", }, { name: "[drill-dev] 20210604 [GitHub] [drill] cgivre commented on pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc3739e0ad4bcf1888c6925233bfc37dd71156bbc8416604833095c42@%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20210604 [GitHub] [drill] laurentgo merged pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9e52a6c72c8365000ecd035e48cc9fee5a677a150350d4420c46443d@%3Cdev.drill.apache.org%3E", }, { name: "[drill-issues] 20210604 [jira] [Resolved] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rad6222134183046f3928f733bf680919e0c390739bfbfe6c90049673@%3Cissues.drill.apache.org%3E", }, { name: "[drill-dev] 20210604 [jira] [Resolved] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r549ac8c159bf0c568c19670bedeb8d7c0074beded951d34b1c1d0d05@%3Cdev.drill.apache.org%3E", }, { name: "[drill-commits] 20210604 [drill] branch master updated: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956 (#2250)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r6eb2dae157dbc9af1f30d1f64e9c60d4ebef618f3dce4a0e32d6ea4d@%3Ccommits.drill.apache.org%3E", }, { name: "[drill-dev] 20210604 [GitHub] [drill] luocooong commented on pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/reef569c2419705754a3acf42b5f19b2a158153cef0e448158bc54917@%3Cdev.drill.apache.org%3E", }, { name: "[creadur-commits] 20210608 [jira] [Work started] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r3f740e4c38bba1face49078aa5cbeeb558c27be601cc9712ad2dcd1e@%3Ccommits.creadur.apache.org%3E", }, { name: "[creadur-commits] 20210608 [jira] [Resolved] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rfb35f6db9ba1f1e061b63769a4eff5abadcc254ebfefc280e5a0dcf1@%3Ccommits.creadur.apache.org%3E", }, { name: "[creadur-commits] 20210608 [jira] [Commented] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2a03dc210231d7e852ef73015f71792ac0fcaca6cccc024c522ef17d@%3Ccommits.creadur.apache.org%3E", }, { name: "[creadur-commits] 20210608 [jira] [Created] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r34efec51cb817397ccf9f86e25a75676d435ba5f83ee7b2eabdad707@%3Ccommits.creadur.apache.org%3E", }, { name: "[creadur-commits] 20210608 [jira] [Assigned] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r70c429923100c5a4fae8e5bc71c8a2d39af3de4888f50a0ac3755e6f@%3Ccommits.creadur.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuApr2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { name: "[maven-issues] 20210621 [jira] [Assigned] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc990e2462ec32b09523deafb2c73606208599e196fa2d7f50bdbc587@%3Cissues.maven.apache.org%3E", }, { name: "[creadur-dev] 20210621 [jira] [Updated] (RAT-275) Update httpclient to fix CVE-2020-13956 once a new doxia-core release is available", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r132e4c6a560cfc519caa1aaee63bdd4036327610eadbd89f76dd5457@%3Cdev.creadur.apache.org%3E", }, { name: "[solr-issues] 20210623 [jira] [Updated] (SOLR-15270) upgrade httpclient to address CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r6a3cda38d050ebe13c1bc9a28d0a8ec38945095d07eca49046bcb89f@%3Cissues.solr.apache.org%3E", }, { name: "[solr-issues] 20210623 [jira] [Updated] (SOLR-15269) upgrade httpclient to address CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc505fee574fe8d18f9b0c655a4d120b0ae21bb6a73b96003e1d9be35@%3Cissues.solr.apache.org%3E", }, { name: "[jackrabbit-dev] 20210706 [GitHub] [jackrabbit-oak] reschke commented on pull request #310: OAK-9482: upgrade httpclient to 4.5.13", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5b55f65c123a7481104d663a915ec45a0d103e6aaa03f42ed1c07a89@%3Cdev.jackrabbit.apache.org%3E", }, { name: "[jackrabbit-dev] 20210706 [GitHub] [jackrabbit-oak] reschke removed a comment on pull request #310: OAK-9482: upgrade httpclient to 4.5.13", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc0863892ccfd9fd0d0ae10091f24ee769fb39b8957fe4ebabfc11f17@%3Cdev.jackrabbit.apache.org%3E", }, { name: "https://www.oracle.com//security-alerts/cpujul2021.html", refsource: "MISC", url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "[solr-issues] 20210912 [jira] [Updated] (SOLR-15269) upgrade httpclient to address CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rfbedcb586a1e7dfce87ee03c720e583fc2ceeafa05f35c542cecc624@%3Cissues.solr.apache.org%3E", }, { name: "[bookkeeper-issues] 20210914 [GitHub] [bookkeeper] nicoloboschi opened a new pull request #2793: Upgrade httpclient from 4.5.5 to 4.5.13 to address CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r87ddc09295c27f25471269ad0a79433a91224045988b88f0413a97ec@%3Cissues.bookkeeper.apache.org%3E", }, { name: "[bookkeeper-issues] 20210917 [GitHub] [bookkeeper] nicoloboschi commented on pull request #2793: Upgrade httpclient from 4.5.5 to 4.5.13 to address CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf03228972e56cb4a03e6d9558188c2938078cf3ceb23a3fead87c9ca@%3Cissues.bookkeeper.apache.org%3E", }, { name: "[lucene-issues] 20210921 [GitHub] [lucene-solr] ventry1990 opened a new pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2835543ef0f91adcc47da72389b816e36936f584c7be584d2314fac3@%3Cissues.lucene.apache.org%3E", }, { name: "[lucene-issues] 20210921 [GitHub] [lucene-solr] madrob commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf43d17ed0d1fb4fb79036b582810ef60b18b1ef3add0d5dea825af1e@%3Cissues.lucene.apache.org%3E", }, { name: "[lucene-issues] 20210921 [GitHub] [lucene-solr] ventry1990 commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc5c6ccb86d2afe46bbd4b71573f0448dc1f87bbcd5a0d8c7f8f904b2@%3Cissues.lucene.apache.org%3E", }, { name: "[lucene-issues] 20211007 [GitHub] [lucene-solr] madrob commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r6d672b46622842e565e00f6ef6bef83eb55d8792aac2bee75bff9a2a@%3Cissues.lucene.apache.org%3E", }, { name: "[lucene-issues] 20211009 [GitHub] [lucene-solr] ventry1990 closed pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf4db88c22e1be9eb60c7dc623d0528642c045fb196a24774ac2fa3a3@%3Cissues.lucene.apache.org%3E", }, { name: "[lucene-issues] 20211009 [GitHub] [lucene-solr] ventry1990 commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ree942561f4620313c75982a4e5f3b74fe6f7062b073210779648eec2@%3Cissues.lucene.apache.org%3E", }, { name: "[lucene-issues] 20211009 [GitHub] [lucene-solr] ventry1990 opened a new pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r3cecd59fba74404cbf4eb430135e1080897fb376f111406a78bed13a@%3Cissues.lucene.apache.org%3E", }, { name: "[solr-issues] 20211011 [jira] [Commented] (SOLR-15269) upgrade httpclient to address CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r0bebe6f9808ac7bdf572873b4fa96a29c6398c90dab29f131f3ebffe@%3Cissues.solr.apache.org%3E", }, { name: "[solr-issues] 20211011 [jira] [Resolved] (SOLR-15269) upgrade httpclient to address CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r4850b3fbaea02fde2886e461005e4af8d37c80a48b3ce2a6edca0e30@%3Cissues.solr.apache.org%3E", }, { name: "[lucene-issues] 20211011 [GitHub] [lucene-solr] madrob merged pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra8bc6b61c5df301a6fe5a716315528ecd17ccb8a7f907e24a47a1a5e@%3Cissues.lucene.apache.org%3E", }, { name: "[solr-issues] 20211019 [jira] [Closed] (SOLR-15269) upgrade httpclient to address CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r0a75b8f0f72f3e18442dc56d33f3827b905f2fe5b7ba48997436f5d1@%3Cissues.solr.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "[ranger-dev] 20211028 [jira] [Commented] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r69a94e2f302d1b778bdfefe90fcb4b8c50b226438c3c8c1d0de85a19@%3Cdev.ranger.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { name: "https://security.netapp.com/advisory/ntap-20220210-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20220210-0002/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2020-13956", datePublished: "2020-12-02T16:20:12", dateReserved: "2020-06-08T00:00:00", dateUpdated: "2024-08-04T12:32:14.610Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-6394
Vulnerability from cvelistv5
Published
2023-12-09 01:26
Modified
2024-11-23 03:30
Severity ?
EPSS score ?
Summary
A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2023:7612 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2023:7700 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2023-6394 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2252197 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Red Hat | Red Hat build of Quarkus 2.13.9.Final |
Unaffected: 2.13.9.Final-redhat-00002 < * cpe:/a:redhat:quarkus:2.13 |
||||||
|
|||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T08:28:21.766Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2023:7612", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:7612", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-6394", }, { name: "RHBZ#2252197", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2252197", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-6394", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-08-28T14:24:22.279522Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-28T14:25:33.171Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:2.13", ], defaultStatus: "affected", packageName: "io.quarkus/quarkus-smallrye-graphql", product: "Red Hat build of Quarkus 2.13.9.Final", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "2.13.9.Final-redhat-00002", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:quarkus:3.2::el8", ], defaultStatus: "affected", packageName: "io.quarkus/quarkus-smallrye-graphql", product: "Red Hat build of Quarkus 3.2.9.Final", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "3.2.9.Final-redhat-00002", versionType: "rpm", }, ], }, ], datePublic: "2023-12-08T00:00:00+00:00", descriptions: [ { lang: "en", value: "A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Important", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-862", description: "Missing Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-23T03:30:49.525Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2023:7612", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:7612", }, { name: "RHSA-2023:7700", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:7700", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-6394", }, { name: "RHBZ#2252197", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2252197", }, ], timeline: [ { lang: "en", time: "2023-11-30T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2023-12-08T00:00:00+00:00", value: "Made public.", }, ], title: "Quarkus: graphql operations over websockets bypass", x_redhatCweChain: "CWE-696->CWE-862: Incorrect Behavior Order leads to Missing Authorization", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-6394", datePublished: "2023-12-09T01:26:52.908Z", dateReserved: "2023-11-30T04:05:52.129Z", dateUpdated: "2024-11-23T03:30:49.525Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-0981
Vulnerability from cvelistv5
Published
2022-03-23 19:46
Modified
2024-08-02 23:47
Severity ?
EPSS score ?
Summary
A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set of privileges than intended.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2062520 | x_refsource_MISC | |
| https://github.com/quarkusio/quarkus/issues/23269 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T23:47:43.241Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2062520", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/quarkusio/quarkus/issues/23269", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "quarkus", vendor: "n/a", versions: [ { status: "affected", version: "quarkus 2.7.1.Final", }, ], }, ], descriptions: [ { lang: "en", value: "A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set of privileges than intended.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-03-23T19:46:41", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2062520", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/quarkusio/quarkus/issues/23269", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2022-0981", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "quarkus", version: { version_data: [ { version_value: "quarkus 2.7.1.Final", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set of privileges than intended.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-863", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=2062520", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2062520", }, { name: "https://github.com/quarkusio/quarkus/issues/23269", refsource: "MISC", url: "https://github.com/quarkusio/quarkus/issues/23269", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2022-0981", datePublished: "2022-03-23T19:46:41", dateReserved: "2022-03-15T00:00:00", dateUpdated: "2024-08-02T23:47:43.241Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-2471
Vulnerability from cvelistv5
Published
2021-10-20 10:49
Modified
2024-09-25 19:39
Severity ?
EPSS score ?
Summary
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.oracle.com/security-alerts/cpuoct2021.html | x_refsource_MISC | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | MySQL Connectors |
Version: 8.0.26 and prior |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T16:45:50.684Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2021-2471", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-25T19:15:14.455458Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-25T19:39:53.220Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "MySQL Connectors", vendor: "Oracle Corporation", versions: [ { status: "affected", version: "8.0.26 and prior", }, ], }, ], descriptions: [ { lang: "en", value: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { description: "Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors.", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-04-19T20:36:38", orgId: "43595867-4340-4103-b7a2-9a5208d29a85", shortName: "oracle", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert_us@oracle.com", ID: "CVE-2021-2471", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "MySQL Connectors", version: { version_data: [ { version_affected: "=", version_value: "8.0.26 and prior", }, ], }, }, ], }, vendor_name: "Oracle Corporation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).", }, ], }, impact: { cvss: { baseScore: "5.9", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors.", }, ], }, ], }, references: { reference_data: [ { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "43595867-4340-4103-b7a2-9a5208d29a85", assignerShortName: "oracle", cveId: "CVE-2021-2471", datePublished: "2021-10-20T10:49:38", dateReserved: "2020-12-09T00:00:00", dateUpdated: "2024-09-25T19:39:53.220Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-21363
Vulnerability from cvelistv5
Published
2022-01-19 11:25
Modified
2024-09-24 20:18
Severity ?
EPSS score ?
Summary
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.oracle.com/security-alerts/cpujan2022.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | MySQL Connectors |
Version: 8.0.27 and prior |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T02:38:55.579Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-21363", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-09-24T17:38:01.377149Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-24T20:18:47.834Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "MySQL Connectors", vendor: "Oracle Corporation", versions: [ { status: "affected", version: "8.0.27 and prior", }, ], }, ], descriptions: [ { lang: "en", value: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.6, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { description: "Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors.", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-01-19T11:25:43", orgId: "43595867-4340-4103-b7a2-9a5208d29a85", shortName: "oracle", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert_us@oracle.com", ID: "CVE-2022-21363", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "MySQL Connectors", version: { version_data: [ { version_affected: "=", version_value: "8.0.27 and prior", }, ], }, }, ], }, vendor_name: "Oracle Corporation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).", }, ], }, impact: { cvss: { baseScore: "6.6", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors.", }, ], }, ], }, references: { reference_data: [ { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "43595867-4340-4103-b7a2-9a5208d29a85", assignerShortName: "oracle", cveId: "CVE-2022-21363", datePublished: "2022-01-19T11:25:44", dateReserved: "2021-11-15T00:00:00", dateUpdated: "2024-09-24T20:18:47.834Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-29429
Vulnerability from cvelistv5
Published
2021-04-12 21:30
Modified
2024-08-03 22:02
Severity ?
EPSS score ?
Summary
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8 | x_refsource_CONFIRM | |
| https://docs.gradle.org/7.0/release-notes.html#security-advisories | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T22:02:51.929Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://docs.gradle.org/7.0/release-notes.html#security-advisories", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "gradle", vendor: "gradle", versions: [ { status: "affected", version: "< 7.0", }, ], }, ], descriptions: [ { lang: "en", value: "In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-377", description: "CWE-377 Insecure Temporary File", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-04-12T21:30:12", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8", }, { tags: [ "x_refsource_MISC", ], url: "https://docs.gradle.org/7.0/release-notes.html#security-advisories", }, ], source: { advisory: "GHSA-fp8h-qmr5-j4c8", discovery: "UNKNOWN", }, title: "Information disclosure through temporary directory permissions", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-29429", STATE: "PUBLIC", TITLE: "Information disclosure through temporary directory permissions", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "gradle", version: { version_data: [ { version_value: "< 7.0", }, ], }, }, ], }, vendor_name: "gradle", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-377 Insecure Temporary File", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8", refsource: "CONFIRM", url: "https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8", }, { name: "https://docs.gradle.org/7.0/release-notes.html#security-advisories", refsource: "MISC", url: "https://docs.gradle.org/7.0/release-notes.html#security-advisories", }, ], }, source: { advisory: "GHSA-fp8h-qmr5-j4c8", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-29429", datePublished: "2021-04-12T21:30:12", dateReserved: "2021-03-30T00:00:00", dateUpdated: "2024-08-03T22:02:51.929Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-28170
Vulnerability from cvelistv5
Published
2021-05-26 21:55
Modified
2024-08-03 21:40
Severity ?
EPSS score ?
Summary
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/eclipse-ee4j/el-ri/issues/155 | x_refsource_CONFIRM | |
| https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/ | x_refsource_CONFIRM | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Eclipse Foundation | Jakarta Expression Language Implementation |
Version: unspecified < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T21:40:12.240Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/eclipse-ee4j/el-ri/issues/155", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Jakarta Expression Language Implementation", vendor: "The Eclipse Foundation", versions: [ { lessThanOrEqual: "3.0.3", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "unspecified", status: "unknown", version: "next of 3.0.3", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20: Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-04-19T23:54:35", orgId: "e51fbebd-6053-4e49-959f-1b94eeb69a2c", shortName: "eclipse", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/eclipse-ee4j/el-ri/issues/155", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@eclipse.org", ID: "CVE-2021-28170", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Jakarta Expression Language Implementation", version: { version_data: [ { version_affected: "<=", version_value: "3.0.3", }, { version_affected: "?>", version_value: "3.0.3", }, ], }, }, ], }, vendor_name: "The Eclipse Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-20: Improper Input Validation", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/eclipse-ee4j/el-ri/issues/155", refsource: "CONFIRM", url: "https://github.com/eclipse-ee4j/el-ri/issues/155", }, { name: "https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/", refsource: "CONFIRM", url: "https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "e51fbebd-6053-4e49-959f-1b94eeb69a2c", assignerShortName: "eclipse", cveId: "CVE-2021-28170", datePublished: "2021-05-26T21:55:09", dateReserved: "2021-03-12T00:00:00", dateUpdated: "2024-08-03T21:40:12.240Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-42003
Vulnerability from cvelistv5
Published
2022-10-02 00:00
Modified
2024-08-03 12:56
Severity ?
EPSS score ?
Summary
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:56:39.107Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/FasterXML/jackson-databind/issues/3590", }, { tags: [ "x_transferred", ], url: "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33", }, { tags: [ "x_transferred", ], url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020", }, { name: "GLSA-202210-21", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202210-21", }, { name: "DSA-5283", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5283", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20221124-0004/", }, { name: "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-12-20T09:33:08.256001", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://github.com/FasterXML/jackson-databind/issues/3590", }, { url: "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33", }, { url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020", }, { name: "GLSA-202210-21", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202210-21", }, { name: "DSA-5283", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2022/dsa-5283", }, { url: "https://security.netapp.com/advisory/ntap-20221124-0004/", }, { name: "[debian-lts-announce] 20221127 [SECURITY] [DLA 3207-1] jackson-databind security update", tags: [ "mailing-list", ], url: "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2022-42003", datePublished: "2022-10-02T00:00:00", dateReserved: "2022-10-02T00:00:00", dateUpdated: "2024-08-03T12:56:39.107Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-38153
Vulnerability from cvelistv5
Published
2021-09-22 09:05
Modified
2024-08-04 01:37
Severity ?
EPSS score ?
Summary
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Kafka |
Version: Apache Kafka 2.0.x < Version: Apache Kafka 2.1.x < Version: Apache Kafka 2.2.x < Version: Apache Kafka 2.3.x < Version: Apache Kafka 2.4.x < Version: Apache Kafka 2.5.x < Version: Apache Kafka 2.6.x < Version: Apache Kafka 2.7.x < Version: Apache Kafka 2.8.x < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T01:37:15.929Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://kafka.apache.org/cve-list", }, { name: "[kafka-dev] 20211007 Re: CVE Back Port?", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-dev] 20211012 [VOTE] 2.6.3 RC0", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-users] 20211012 [VOTE] 2.6.3 RC0", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E", }, { name: "[kafka-users] 20211012 [VOTE] 2.7.2 RC0", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E", }, { name: "[kafka-dev] 20211012 [VOTE] 2.7.2 RC0", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E", }, { name: "[kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Kafka", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "2.0.1", status: "affected", version: "Apache Kafka 2.0.x", versionType: "custom", }, { lessThanOrEqual: "2.1.1", status: "affected", version: "Apache Kafka 2.1.x", versionType: "custom", }, { lessThanOrEqual: "2.2.2", status: "affected", version: "Apache Kafka 2.2.x", versionType: "custom", }, { lessThanOrEqual: "2.3.1", status: "affected", version: "Apache Kafka 2.3.x", versionType: "custom", }, { lessThanOrEqual: "2.4.1", status: "affected", version: "Apache Kafka 2.4.x", versionType: "custom", }, { lessThanOrEqual: "2.5.1", status: "affected", version: "Apache Kafka 2.5.x", versionType: "custom", }, { lessThanOrEqual: "2.6.2", status: "affected", version: "Apache Kafka 2.6.x", versionType: "custom", }, { lessThanOrEqual: "2.7.1", status: "affected", version: "Apache Kafka 2.7.x", versionType: "custom", }, { lessThanOrEqual: "2.8.0", status: "affected", version: "Apache Kafka 2.8.x", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "Apache Kafka would like to thank J. Santilli for reporting this issue.", }, ], descriptions: [ { lang: "en", value: "Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.", }, ], metrics: [ { other: { content: { other: "moderate", }, type: "unknown", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-203", description: "CWE-203 Observable Discrepancy", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-25T16:31:36", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://kafka.apache.org/cve-list", }, { name: "[kafka-dev] 20211007 Re: CVE Back Port?", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-dev] 20211012 [VOTE] 2.6.3 RC0", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-users] 20211012 [VOTE] 2.6.3 RC0", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E", }, { name: "[kafka-users] 20211012 [VOTE] 2.7.2 RC0", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E", }, { name: "[kafka-dev] 20211012 [VOTE] 2.7.2 RC0", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E", }, { name: "[kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], source: { discovery: "UNKNOWN", }, title: "Timing Attack Vulnerability for Apache Kafka Connect and Clients", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-38153", STATE: "PUBLIC", TITLE: "Timing Attack Vulnerability for Apache Kafka Connect and Clients", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Kafka", version: { version_data: [ { version_affected: "<=", version_name: "Apache Kafka 2.0.x", version_value: "2.0.1", }, { version_affected: "<=", version_name: "Apache Kafka 2.1.x", version_value: "2.1.1", }, { version_affected: "<=", version_name: "Apache Kafka 2.2.x", version_value: "2.2.2", }, { version_affected: "<=", version_name: "Apache Kafka 2.3.x", version_value: "2.3.1", }, { version_affected: "<=", version_name: "Apache Kafka 2.4.x", version_value: "2.4.1", }, { version_affected: "<=", version_name: "Apache Kafka 2.5.x", version_value: "2.5.1", }, { version_affected: "<=", version_name: "Apache Kafka 2.6.x", version_value: "2.6.2", }, { version_affected: "<=", version_name: "Apache Kafka 2.7.x", version_value: "2.7.1", }, { version_affected: "<=", version_name: "Apache Kafka 2.8.x", version_value: "2.8.0", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "Apache Kafka would like to thank J. Santilli for reporting this issue.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ { other: "moderate", }, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-203 Observable Discrepancy", }, ], }, ], }, references: { reference_data: [ { name: "https://kafka.apache.org/cve-list", refsource: "MISC", url: "https://kafka.apache.org/cve-list", }, { name: "[kafka-dev] 20211007 Re: CVE Back Port?", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c@%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-dev] 20211012 [VOTE] 2.6.3 RC0", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-users] 20211012 [VOTE] 2.6.3 RC0", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be@%3Cusers.kafka.apache.org%3E", }, { name: "[kafka-users] 20211012 [VOTE] 2.7.2 RC0", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6@%3Cusers.kafka.apache.org%3E", }, { name: "[kafka-dev] 20211012 [VOTE] 2.7.2 RC0", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6@%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-users] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cusers.kafka.apache.org%3E", }, { name: "[kafka-dev] 20211026 Re: [kafka-clients] [VOTE] 2.7.2 RC0", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c@%3Cdev.kafka.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { name: "https://www.oracle.com/security-alerts/cpujul2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-38153", datePublished: "2021-09-22T09:05:11", dateReserved: "2021-08-06T00:00:00", dateUpdated: "2024-08-04T01:37:15.929Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-25633
Vulnerability from cvelistv5
Published
2020-09-18 18:10
Modified
2024-08-04 15:40
Severity ?
EPSS score ?
Summary
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25633 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Red Hat | resteasy-client |
Version: through 4.5.6 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T15:40:35.457Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25633", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "resteasy-client", vendor: "Red Hat", versions: [ { status: "affected", version: "through 4.5.6 ", }, ], }, ], descriptions: [ { lang: "en", value: "A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-209", description: "CWE-209", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2020-09-18T18:10:44", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25633", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2020-25633", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "resteasy-client", version: { version_data: [ { version_value: "through 4.5.6 ", }, ], }, }, ], }, vendor_name: "Red Hat", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.", }, ], }, impact: { cvss: [ [ { vectorString: "5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, ], ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-209", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25633", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25633", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2020-25633", datePublished: "2020-09-18T18:10:44", dateReserved: "2020-09-16T00:00:00", dateUpdated: "2024-08-04T15:40:35.457Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-4116
Vulnerability from cvelistv5
Published
2022-11-22 00:00
Modified
2025-04-29 16:18
Severity ?
EPSS score ?
Summary
A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T01:27:54.507Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2022-4116", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2022-4116", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-04-29T16:17:33.189469Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { description: "CWE-noinfo Not enough information", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-04-29T16:18:16.345Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "quarkus", vendor: "n/a", versions: [ { status: "affected", version: "quarkus-2", }, ], }, ], descriptions: [ { lang: "en", value: "A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.", }, ], problemTypes: [ { descriptions: [ { description: "Remote COde Execution", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-11-22T00:00:00.000Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { url: "https://access.redhat.com/security/cve/CVE-2022-4116", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2022-4116", datePublished: "2022-11-22T00:00:00.000Z", dateReserved: "2022-11-22T00:00:00.000Z", dateUpdated: "2025-04-29T16:18:16.345Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-21409
Vulnerability from cvelistv5
Published
2021-03-30 15:05
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T18:09:16.144Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432", }, { name: "DSA-4885", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-4885", }, { name: "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de%40%3Cdev.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210408 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210408 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] ayushmantri opened a new pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210408 [jira] [Updated] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] arshadmohammad commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210408 [zookeeper] branch master updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210408 [jira] [Resolved] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210408 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] asfgit closed pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210408 [zookeeper] 01/02: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210409 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari opened a new pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari commented on pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20210420 [GitHub] [pulsar] eolivelli merged pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E", }, { name: "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E", }, { name: "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E", }, { name: "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10642: KAFKA-12756: Update Zookeeper to 3.6.3 or higher", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa%40%3Cjira.kafka.apache.org%3E", }, { name: "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E", }, { name: "[zookeeper-issues] 20210517 [jira] [Updated] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575%40%3Cdev.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210517 [GitHub] [zookeeper] gpiyush-dev opened a new pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210521 [GitHub] [zookeeper] maoling commented on pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210604-0003/", }, { name: "[zookeeper-issues] 20210727 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210727 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210727 [GitHub] [zookeeper] sandipbhattacharya commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E", }, { name: "[zookeeper-issues] 20210922 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210923 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362%40%3Cdev.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210923 [jira] [Assigned] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210923 [jira] [Updated] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210924 [jira] [Resolved] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210924 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4385. Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2%40%3Ccommits.zookeeper.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "netty", vendor: "netty", versions: [ { status: "affected", version: "< 4.1.61.Final", }, ], }, ], descriptions: [ { lang: "en", value: "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-444", description: "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-04-19T23:24:02", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", }, { tags: [ "x_refsource_MISC", ], url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432", }, { name: "DSA-4885", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2021/dsa-4885", }, { name: "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de%40%3Cdev.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210408 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210408 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] ayushmantri opened a new pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210408 [jira] [Updated] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] arshadmohammad commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210408 [zookeeper] branch master updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210408 [jira] [Resolved] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210408 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] asfgit closed pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210408 [zookeeper] 01/02: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210409 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari opened a new pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari commented on pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20210420 [GitHub] [pulsar] eolivelli merged pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E", }, { name: "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E", }, { name: "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E", }, { name: "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10642: KAFKA-12756: Update Zookeeper to 3.6.3 or higher", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa%40%3Cjira.kafka.apache.org%3E", }, { name: "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E", }, { name: "[zookeeper-issues] 20210517 [jira] [Updated] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575%40%3Cdev.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210517 [GitHub] [zookeeper] gpiyush-dev opened a new pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210521 [GitHub] [zookeeper] maoling commented on pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20210604-0003/", }, { name: "[zookeeper-issues] 20210727 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210727 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210727 [GitHub] [zookeeper] sandipbhattacharya commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E", }, { name: "[zookeeper-issues] 20210922 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210923 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362%40%3Cdev.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210923 [jira] [Assigned] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210923 [jira] [Updated] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210924 [jira] [Resolved] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210924 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4385. Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2%40%3Ccommits.zookeeper.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, ], source: { advisory: "GHSA-f256-j965-7f32", discovery: "UNKNOWN", }, title: "Possible request smuggling in HTTP/2 due missing validation of content-length", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-21409", STATE: "PUBLIC", TITLE: "Possible request smuggling in HTTP/2 due missing validation of content-length", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "netty", version: { version_data: [ { version_value: "< 4.1.61.Final", }, ], }, }, ], }, vendor_name: "netty", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", refsource: "CONFIRM", url: "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", }, { name: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", refsource: "MISC", url: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", }, { name: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295", refsource: "MISC", url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295", }, { name: "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432", refsource: "MISC", url: "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432", }, { name: "DSA-4885", refsource: "DEBIAN", url: "https://www.debian.org/security/2021/dsa-4885", }, { name: "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de@%3Cdev.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210408 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210408 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] ayushmantri opened a new pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9@%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210408 [jira] [Updated] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] arshadmohammad commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795@%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210408 [zookeeper] branch master updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101@%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210408 [jira] [Resolved] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5@%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355@%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210408 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] asfgit closed pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39@%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210408 [zookeeper] 01/02: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e@%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210409 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219@%3Cissues.zookeeper.apache.org%3E", }, { name: "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari opened a new pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35@%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari commented on pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8@%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20210420 [GitHub] [pulsar] eolivelli merged pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed@%3Ccommits.pulsar.apache.org%3E", }, { name: "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E", }, { name: "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E", }, { name: "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", refsource: "MLIST", url: "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E", }, { name: "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10642: KAFKA-12756: Update Zookeeper to 3.6.3 or higher", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa@%3Cjira.kafka.apache.org%3E", }, { name: "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E", }, { name: "[zookeeper-issues] 20210517 [jira] [Updated] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", refsource: "MLIST", url: "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", refsource: "MLIST", url: "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575@%3Cdev.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210517 [GitHub] [zookeeper] gpiyush-dev opened a new pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", refsource: "MLIST", url: "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8@%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210521 [GitHub] [zookeeper] maoling commented on pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", refsource: "MLIST", url: "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183@%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E", }, { name: "https://www.oracle.com//security-alerts/cpujul2021.html", refsource: "MISC", url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "https://security.netapp.com/advisory/ntap-20210604-0003/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20210604-0003/", }, { name: "[zookeeper-issues] 20210727 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210727 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210727 [GitHub] [zookeeper] sandipbhattacharya commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4@%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E", }, { name: "[zookeeper-issues] 20210922 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210923 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362@%3Cdev.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210923 [jira] [Assigned] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210923 [jira] [Updated] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210924 [jira] [Resolved] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210924 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4385. Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2@%3Ccommits.zookeeper.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, ], }, source: { advisory: "GHSA-f256-j965-7f32", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-21409", datePublished: "2021-03-30T15:05:17", dateReserved: "2020-12-22T00:00:00", dateUpdated: "2024-08-03T18:09:16.144Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-37136
Vulnerability from cvelistv5
Published
2021-10-19 00:00
Modified
2024-08-04 01:16
Severity ?
EPSS score ?
Summary
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Netty project | Netty |
Version: unspecified < 4.1.68Final |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T01:16:02.944Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", }, { name: "[tinkerpop-dev] 20211025 [jira] [Created] (TINKERPOP-2632) Netty 4.1.61 flagged with two high severity security violations", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E", }, { name: "[druid-commits] 20211025 [GitHub] [druid] jihoonson opened a new pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20211025 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20211025 [GitHub] [druid] a2l007 commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20211026 [GitHub] [druid] clintropolis merged pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20211026 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E", }, { tags: [ "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220210-0012/", }, { tags: [ "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { name: "[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html", }, { name: "DSA-5316", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2023/dsa-5316", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Netty", vendor: "The Netty project", versions: [ { lessThan: "4.1.68Final", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-12T00:00:00", orgId: "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", shortName: "JFROG", }, references: [ { url: "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", }, { name: "[tinkerpop-dev] 20211025 [jira] [Created] (TINKERPOP-2632) Netty 4.1.61 flagged with two high severity security violations", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E", }, { name: "[druid-commits] 20211025 [GitHub] [druid] jihoonson opened a new pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20211025 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20211025 [GitHub] [druid] a2l007 commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20211026 [GitHub] [druid] clintropolis merged pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20211026 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E", }, { url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { url: "https://security.netapp.com/advisory/ntap-20220210-0012/", }, { url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { name: "[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update", tags: [ "mailing-list", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html", }, { name: "DSA-5316", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2023/dsa-5316", }, ], }, }, cveMetadata: { assignerOrgId: "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", assignerShortName: "JFROG", cveId: "CVE-2021-37136", datePublished: "2021-10-19T00:00:00", dateReserved: "2021-07-20T00:00:00", dateUpdated: "2024-08-04T01:16:02.944Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-6267
Vulnerability from cvelistv5
Published
2024-01-25 18:12
Modified
2025-03-03 14:47
Severity ?
EPSS score ?
Summary
A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2024:0494 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:0495 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2023-6267 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2251155 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Red Hat | Red Hat build of Quarkus 2.13.9.Final |
Unaffected: 2.13.9.Final-redhat-00003 < * cpe:/a:redhat:quarkus:2.13 |
||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T08:28:20.364Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2024:0494", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2024:0494", }, { name: "RHSA-2024:0495", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2024:0495", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-6267", }, { name: "RHBZ#2251155", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2251155", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:2.13", ], defaultStatus: "affected", packageName: "io.quarkus/quarkus-resteasy", product: "Red Hat build of Quarkus 2.13.9.Final", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "2.13.9.Final-redhat-00003", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:3.2", ], defaultStatus: "affected", packageName: "io.quarkus/quarkus-resteasy", product: "Red Hat build of Quarkus 3.2.9.Final", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "3.2.9.Final-redhat-00003", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:optaplanner:::el6", ], defaultStatus: "affected", packageName: "quarkus-resteasy-reactive", product: "Red Hat build of OptaPlanner 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_fuse:7", ], defaultStatus: "unaffected", packageName: "resteasy", product: "Red Hat Fuse 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:integration:1", ], defaultStatus: "affected", packageName: "resteasy-core", product: "Red Hat Integration Camel K 1", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:camel_quarkus:2", ], defaultStatus: "unaffected", packageName: "quarkus-resteasy-reactive", product: "Red Hat Integration Camel Quarkus 2", vendor: "Red Hat", }, ], datePublic: "2024-01-24T00:00:00.000Z", descriptions: [ { lang: "en", value: "A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Important", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-755", description: "Improper Handling of Exceptional Conditions", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-03T14:47:04.634Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2024:0494", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:0494", }, { name: "RHSA-2024:0495", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:0495", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-6267", }, { name: "RHBZ#2251155", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2251155", }, ], timeline: [ { lang: "en", time: "2023-11-23T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2024-01-24T00:00:00+00:00", value: "Made public.", }, ], title: "Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations.", x_redhatCweChain: "CWE-755: Improper Handling of Exceptional Conditions", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-6267", datePublished: "2024-01-25T18:12:44.771Z", dateReserved: "2023-11-23T06:34:22.287Z", dateUpdated: "2025-03-03T14:47:04.634Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-21295
Vulnerability from cvelistv5
Published
2021-03-09 18:35
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| netty | io.netty:netty-codec-http2 |
Version: < 4.1.60.Final |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T18:09:15.344Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Netflix/zuul/pull/980", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4", }, { name: "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E", }, { name: "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E", }, { name: "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 & CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 & CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3Cdev.zookeeper.apache.org%3E", }, { name: "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210331 [jira] [Assigned] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210331 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210331 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr commented on pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr opened a new pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc%40%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] eolivelli commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad closed pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] asfgit closed pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210331 [zookeeper] branch master updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4272 ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210331 [jira] [Resolved] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210401 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[kafka-dev] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210401 [jira] [Commented] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f%40%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell merged pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1%40%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] HorizonNet commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb%40%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [jira] [Assigned] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064%40%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b%40%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece%40%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf%40%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81%40%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-commits] 20210402 [hbase-thirdparty] branch master updated: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 (#48)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8%40%3Ccommits.hbase.apache.org%3E", }, { name: "[hbase-dev] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd%40%3Cdev.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6%40%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190%40%3Cissues.hbase.apache.org%3E", }, { name: "[kafka-jira] 20210402 [jira] [Assigned] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969%40%3Cjira.kafka.apache.org%3E", }, { name: "DSA-4885", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-4885", }, { name: "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E", }, { name: "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E", }, { name: "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E", }, { name: "[jackrabbit-dev] 20210709 [GitHub] [jackrabbit-oak] blackat opened a new pull request #321: Update netty to resolve CVE-2021-21295 and BDSA-2018-4022", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3%40%3Cdev.jackrabbit.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210604-0003/", }, { name: "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E", }, { name: "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5%40%3Cdev.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de%40%3Cnotifications.zookeeper.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf%40%3Ccommits.servicecomb.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "io.netty:netty-codec-http2", vendor: "netty", versions: [ { status: "affected", version: "< 4.1.60.Final", }, ], }, ], descriptions: [ { lang: "en", value: "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-444", description: "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-04-19T23:23:53", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/Netflix/zuul/pull/980", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4", }, { name: "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E", }, { name: "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E", }, { name: "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 & CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 & CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3Cdev.zookeeper.apache.org%3E", }, { name: "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210331 [jira] [Assigned] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210331 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210331 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr commented on pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr opened a new pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc%40%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] eolivelli commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad closed pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] asfgit closed pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210331 [zookeeper] branch master updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4272 ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210331 [jira] [Resolved] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210401 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[kafka-dev] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210401 [jira] [Commented] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f%40%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell merged pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1%40%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] HorizonNet commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb%40%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [jira] [Assigned] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064%40%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b%40%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece%40%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf%40%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81%40%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-commits] 20210402 [hbase-thirdparty] branch master updated: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 (#48)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8%40%3Ccommits.hbase.apache.org%3E", }, { name: "[hbase-dev] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd%40%3Cdev.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6%40%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190%40%3Cissues.hbase.apache.org%3E", }, { name: "[kafka-jira] 20210402 [jira] [Assigned] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969%40%3Cjira.kafka.apache.org%3E", }, { name: "DSA-4885", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2021/dsa-4885", }, { name: "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E", }, { name: "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E", }, { name: "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E", }, { name: "[jackrabbit-dev] 20210709 [GitHub] [jackrabbit-oak] blackat opened a new pull request #321: Update netty to resolve CVE-2021-21295 and BDSA-2018-4022", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3%40%3Cdev.jackrabbit.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20210604-0003/", }, { name: "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E", }, { name: "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5%40%3Cdev.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de%40%3Cnotifications.zookeeper.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf%40%3Ccommits.servicecomb.apache.org%3E", }, ], source: { advisory: "GHSA-wm47-8v5p-wjpj", discovery: "UNKNOWN", }, title: "Possible request smuggling in HTTP/2 due missing validation", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-21295", STATE: "PUBLIC", TITLE: "Possible request smuggling in HTTP/2 due missing validation", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "io.netty:netty-codec-http2", version: { version_data: [ { version_value: "< 4.1.60.Final", }, ], }, }, ], }, vendor_name: "netty", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", refsource: "CONFIRM", url: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", }, { name: "https://github.com/Netflix/zuul/pull/980", refsource: "MISC", url: "https://github.com/Netflix/zuul/pull/980", }, { name: "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4", refsource: "MISC", url: "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4", }, { name: "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E", }, { name: "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E", }, { name: "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 & CVE-2021-21290", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 & CVE-2021-21290", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E", }, { name: "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E", }, { name: "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E", }, { name: "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210331 [jira] [Assigned] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210331 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1@%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210331 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e@%3Cissues.zookeeper.apache.org%3E", }, { name: "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr commented on pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr opened a new pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc@%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e@%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] eolivelli commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798@%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675@%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe@%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad closed pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9@%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] asfgit closed pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8@%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b@%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1@%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210331 [zookeeper] branch master updated: ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a@%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4272 ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c@%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210331 [jira] [Resolved] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210401 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384@%3Cissues.zookeeper.apache.org%3E", }, { name: "[kafka-dev] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c@%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210401 [jira] [Commented] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f@%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E", }, { name: "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell merged pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1@%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] HorizonNet commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb@%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [jira] [Assigned] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064@%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b@%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece@%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf@%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81@%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-commits] 20210402 [hbase-thirdparty] branch master updated: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295 (#48)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8@%3Ccommits.hbase.apache.org%3E", }, { name: "[hbase-dev] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd@%3Cdev.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to >= 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6@%3Cissues.hbase.apache.org%3E", }, { name: "[hbase-issues] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190@%3Cissues.hbase.apache.org%3E", }, { name: "[kafka-jira] 20210402 [jira] [Assigned] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969@%3Cjira.kafka.apache.org%3E", }, { name: "DSA-4885", refsource: "DEBIAN", url: "https://www.debian.org/security/2021/dsa-4885", }, { name: "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E", }, { name: "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E", }, { name: "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", refsource: "MLIST", url: "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E", }, { name: "[jackrabbit-dev] 20210709 [GitHub] [jackrabbit-oak] blackat opened a new pull request #321: Update netty to resolve CVE-2021-21295 and BDSA-2018-4022", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3@%3Cdev.jackrabbit.apache.org%3E", }, { name: "https://security.netapp.com/advisory/ntap-20210604-0003/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20210604-0003/", }, { name: "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E", }, { name: "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E", }, { name: "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5@%3Cdev.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E", }, { name: "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { name: "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2@%3Ccommits.servicecomb.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882@%3Ccommits.servicecomb.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925@%3Ccommits.servicecomb.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef@%3Ccommits.servicecomb.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c@%3Ccommits.servicecomb.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de@%3Cnotifications.zookeeper.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de@%3Cnotifications.zookeeper.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80@%3Ccommits.servicecomb.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c@%3Ccommits.servicecomb.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73@%3Ccommits.servicecomb.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2@%3Ccommits.servicecomb.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b@%3Ccommits.servicecomb.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052@%3Ccommits.servicecomb.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d@%3Ccommits.servicecomb.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60@%3Ccommits.servicecomb.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24@%3Ccommits.servicecomb.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d@%3Ccommits.servicecomb.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed@%3Ccommits.servicecomb.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468@%3Ccommits.servicecomb.apache.org%3E", }, { name: "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf@%3Ccommits.servicecomb.apache.org%3E", }, ], }, source: { advisory: "GHSA-wm47-8v5p-wjpj", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-21295", datePublished: "2021-03-09T18:35:19", dateReserved: "2020-12-22T00:00:00", dateUpdated: "2024-08-03T18:09:15.344Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-21290
Vulnerability from cvelistv5
Published
2021-02-08 20:10
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T18:09:15.620Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec", }, { name: "[debian-lts-announce] 20210211 [SECURITY] [DLA 2555-1] netty security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html", }, { name: "[kafka-jira] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-dev] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210301 [jira] [Assigned] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr opened a new pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210302 [GitHub] [kafka] omkreddy closed pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-commits] 20210302 [kafka] branch 2.6 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214%40%3Ccommits.kafka.apache.org%3E", }, { name: "[kafka-commits] 20210302 [kafka] branch 2.7 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f%40%3Ccommits.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013%40%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to > 4.1.59 due to security vulnerability", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to > 4.1.59 due to security vulnerability", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12%40%3Cdev.zookeeper.apache.org%3E", }, { name: "[tinkerpop-dev] 20210316 [jira] [Created] (TINKERPOP-2535) Netty 4.1.52 flagged as medium security violation", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020%40%3Cdev.tinkerpop.apache.org%3E", }, { name: "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E", }, { name: "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E", }, { name: "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 & CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 & CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3Cdev.zookeeper.apache.org%3E", }, { name: "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3Cissues.zookeeper.apache.org%3E", }, { name: "DSA-4885", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-4885", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05%40%3Cdev.kafka.apache.org%3E", }, { name: "[activemq-users] 20210715 Next ActiveMQ Artemis Release - CVE-2021-21290 vulnerability", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29%40%3Cusers.activemq.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220210-0011/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "netty", vendor: "netty", versions: [ { status: "affected", version: "< 4.1.59.Final", }, ], }, ], descriptions: [ { lang: "en", value: "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method \"File.createTempFile\" on unix-like systems creates a random file, but, by default will create this file with the permissions \"-rw-r--r--\". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's \"AbstractDiskHttpData\" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own \"java.io.tmpdir\" when you start the JVM or use \"DefaultHttpDataFactory.setBaseDir(...)\" to set the directory to something that is only readable by the current user.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.2, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-378", description: "CWE-378: Creation of Temporary File With Insecure Permissions", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-379", description: "CWE-379: Creation of Temporary File in Directory with Insecure Permissions", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-04-19T23:23:48", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec", }, { name: "[debian-lts-announce] 20210211 [SECURITY] [DLA 2555-1] netty security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html", }, { name: "[kafka-jira] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-dev] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210301 [jira] [Assigned] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr opened a new pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210302 [GitHub] [kafka] omkreddy closed pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-commits] 20210302 [kafka] branch 2.6 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214%40%3Ccommits.kafka.apache.org%3E", }, { name: "[kafka-commits] 20210302 [kafka] branch 2.7 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f%40%3Ccommits.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013%40%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to > 4.1.59 due to security vulnerability", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to > 4.1.59 due to security vulnerability", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12%40%3Cdev.zookeeper.apache.org%3E", }, { name: "[tinkerpop-dev] 20210316 [jira] [Created] (TINKERPOP-2535) Netty 4.1.52 flagged as medium security violation", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020%40%3Cdev.tinkerpop.apache.org%3E", }, { name: "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E", }, { name: "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E", }, { name: "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 & CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 & CVE-2021-21290", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3Cdev.zookeeper.apache.org%3E", }, { name: "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3Cissues.zookeeper.apache.org%3E", }, { name: "DSA-4885", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2021/dsa-4885", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05%40%3Cdev.kafka.apache.org%3E", }, { name: "[activemq-users] 20210715 Next ActiveMQ Artemis Release - CVE-2021-21290 vulnerability", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29%40%3Cusers.activemq.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20220210-0011/", }, ], source: { advisory: "GHSA-5mcr-gq6c-3hq2", discovery: "UNKNOWN", }, title: "Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-21290", STATE: "PUBLIC", TITLE: "Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "netty", version: { version_data: [ { version_value: "< 4.1.59.Final", }, ], }, }, ], }, vendor_name: "netty", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method \"File.createTempFile\" on unix-like systems creates a random file, but, by default will create this file with the permissions \"-rw-r--r--\". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's \"AbstractDiskHttpData\" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own \"java.io.tmpdir\" when you start the JVM or use \"DefaultHttpDataFactory.setBaseDir(...)\" to set the directory to something that is only readable by the current user.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.2, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-378: Creation of Temporary File With Insecure Permissions", }, ], }, { description: [ { lang: "eng", value: "CWE-379: Creation of Temporary File in Directory with Insecure Permissions", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2", refsource: "CONFIRM", url: "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2", }, { name: "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec", refsource: "MISC", url: "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec", }, { name: "[debian-lts-announce] 20210211 [SECURITY] [DLA 2555-1] netty security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html", }, { name: "[kafka-jira] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-dev] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4@%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210301 [jira] [Assigned] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr opened a new pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b@%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210302 [GitHub] [kafka] omkreddy closed pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-commits] 20210302 [kafka] branch 2.6 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214@%3Ccommits.kafka.apache.org%3E", }, { name: "[kafka-commits] 20210302 [kafka] branch 2.7 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f@%3Ccommits.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013@%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to > 4.1.59 due to security vulnerability", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to > 4.1.59 due to security vulnerability", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12@%3Cdev.zookeeper.apache.org%3E", }, { name: "[tinkerpop-dev] 20210316 [jira] [Created] (TINKERPOP-2535) Netty 4.1.52 flagged as medium security violation", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020@%3Cdev.tinkerpop.apache.org%3E", }, { name: "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E", }, { name: "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E", }, { name: "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 & CVE-2021-21290", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 & CVE-2021-21290", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E", }, { name: "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E", }, { name: "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E", }, { name: "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to > 4.1.60 due to security vulnerability CVE-2021-21295", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E", }, { name: "DSA-4885", refsource: "DEBIAN", url: "https://www.debian.org/security/2021/dsa-4885", }, { name: "https://www.oracle.com/security-alerts/cpuApr2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { name: "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E", }, { name: "[activemq-users] 20210715 Next ActiveMQ Artemis Release - CVE-2021-21290 vulnerability", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29@%3Cusers.activemq.apache.org%3E", }, { name: "https://www.oracle.com//security-alerts/cpujul2021.html", refsource: "MISC", url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { name: "https://security.netapp.com/advisory/ntap-20220210-0011/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20220210-0011/", }, ], }, source: { advisory: "GHSA-5mcr-gq6c-3hq2", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-21290", datePublished: "2021-02-08T20:10:16", dateReserved: "2020-12-22T00:00:00", dateUpdated: "2024-08-03T18:09:15.620Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-4147
Vulnerability from cvelistv5
Published
2022-12-06 00:00
Modified
2025-04-14 18:10
Severity ?
EPSS score ?
Summary
Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no ReadableStream object used in the request.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T01:27:54.547Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2022-4147", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2022-4147", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-04-14T16:12:53.702695Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-14T18:10:52.032Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "quarkus-2", vendor: "n/a", versions: [ { status: "affected", version: "2", }, ], }, ], descriptions: [ { lang: "en", value: "Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no ReadableStream object used in the request.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-1026", description: "CWE-1026", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-12-06T00:00:00.000Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { url: "https://access.redhat.com/security/cve/CVE-2022-4147", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2022-4147", datePublished: "2022-12-06T00:00:00.000Z", dateReserved: "2022-11-28T00:00:00.000Z", dateUpdated: "2025-04-14T18:10:52.032Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-37137
Vulnerability from cvelistv5
Published
2021-10-19 00:00
Modified
2024-08-04 01:16
Severity ?
EPSS score ?
Summary
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Netty project | Netty |
Version: unspecified < 4.1.68Final |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T01:16:02.953Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363", }, { name: "[tinkerpop-dev] 20211025 [jira] [Created] (TINKERPOP-2632) Netty 4.1.61 flagged with two high severity security violations", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E", }, { name: "[druid-commits] 20211025 [GitHub] [druid] jihoonson opened a new pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20211025 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20211025 [GitHub] [druid] a2l007 commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20211026 [GitHub] [druid] clintropolis merged pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20211026 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E", }, { tags: [ "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220210-0012/", }, { tags: [ "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { name: "[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html", }, { name: "DSA-5316", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2023/dsa-5316", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Netty", vendor: "The Netty project", versions: [ { lessThan: "4.1.68Final", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-12T00:00:00", orgId: "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", shortName: "JFROG", }, references: [ { url: "https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363", }, { name: "[tinkerpop-dev] 20211025 [jira] [Created] (TINKERPOP-2632) Netty 4.1.61 flagged with two high severity security violations", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E", }, { name: "[druid-commits] 20211025 [GitHub] [druid] jihoonson opened a new pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20211025 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20211025 [GitHub] [druid] a2l007 commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20211026 [GitHub] [druid] clintropolis merged pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E", }, { name: "[druid-commits] 20211026 [GitHub] [druid] jihoonson commented on pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E", }, { url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { url: "https://security.netapp.com/advisory/ntap-20220210-0012/", }, { url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { name: "[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update", tags: [ "mailing-list", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html", }, { name: "DSA-5316", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2023/dsa-5316", }, ], }, }, cveMetadata: { assignerOrgId: "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", assignerShortName: "JFROG", cveId: "CVE-2021-37137", datePublished: "2021-10-19T00:00:00", dateReserved: "2021-07-20T00:00:00", dateUpdated: "2024-08-04T01:16:02.953Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-18640
Vulnerability from cvelistv5
Published
2019-12-12 00:00
Modified
2024-08-05 21:28
Severity ?
EPSS score ?
Summary
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T21:28:55.802Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "FEDORA-2020-599514b47e", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKN7VGIKTYBCAKYBRG55QHXAY5UDZ7HA/", }, { name: "FEDORA-2020-23012fafbc", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTVJC54XGX26UJVVYCXZ7D25X3R5T2G6/", }, { name: "[pulsar-commits] 20200830 [GitHub] [pulsar] codelipenghui commented on issue #7928: CVE-2017-18640 exposure snakeyaml below 1.26", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8b57c57cffa01e418868a3c7535b987635ff1fb5ab534203bfa2d64a%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[hadoop-common-dev] 20200830 [jira] [Created] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb34d8d3269ad47a1400f5a1a2d8310e13a80b6576ebd7f512144198d%40%3Ccommon-dev.hadoop.apache.org%3E", }, { name: "[hadoop-common-issues] 20200830 [jira] [Updated] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8464b6ec951aace8c807bac9ea526d4f9e3116aa16d38be06f7c6524%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[hadoop-common-issues] 20200830 [jira] [Created] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r643ba53f002ae59068f9352fe1d82e1b6f375387ffb776f13efe8fda%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[pulsar-commits] 20200831 [GitHub] [pulsar] wolfstudy edited a comment on issue #7928: CVE-2017-18640 exposure snakeyaml below 1.26", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2b05744c0c2867daa5d1a96832965b7d6220328b0ead06c22a6e7854%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20200831 [GitHub] [pulsar] wolfstudy commented on issue #7928: CVE-2017-18640 exposure snakeyaml below 1.26", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6c91e52b3cc9f4e64afe0f34f20507143fd1f756d12681a56a9b38da%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[hadoop-common-issues] 20200831 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r72a3588d62b2de1361dc9648f5d355385735e47f7ba49d089b0e680d%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[atlas-dev] 20200907 [GitHub] [atlas] crazylab opened a new pull request #109: Upgrade snakeyaml to a version without CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r1dfac8b6a7097bcb4979402bbb6e2f8c36d0d9001e3018717eb22b7e%40%3Cdev.atlas.apache.org%3E", }, { name: "[cassandra-pr] 20200907 [GitHub] [cassandra] crazylab opened a new pull request #736: Upgrade to a snakeyaml version without CVE", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb0e033d5ec8233360203431ad96580cf2ec56f47d9a425d894e279c2%40%3Cpr.cassandra.apache.org%3E", }, { name: "[atlas-dev] 20200907 [GitHub] [atlas] crazylab opened a new pull request #110: Upgrade snakeyaml to a version without CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2a5b84fdf59042dc398497e914b5bb1aed77328320b1438144ae1953%40%3Cdev.atlas.apache.org%3E", }, { name: "[atlas-dev] 20200907 [GitHub] [atlas] crazylab closed pull request #109: Upgrade snakeyaml to a version without CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6d54c2da792c74cc14b9b7665ea89e144c9e238ed478d37fd56292e6%40%3Cdev.atlas.apache.org%3E", }, { name: "[pulsar-commits] 20200907 [GitHub] [pulsar] jiazhai closed issue #7928: CVE-2017-18640 exposure snakeyaml below 1.26", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r666f29a7d0e1f98fa1425ca01efcfa86e6e3856e01d300828aa7c6ea%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[hadoop-common-issues] 20200909 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r154090b871cf96d985b90864442d84eb027c72c94bc3f0a5727ba2d1%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[atlas-dev] 20200914 [GitHub] [atlas] nixonrodrigues commented on pull request #110: ATLAS-3940 : Upgrade snakeyaml to a version without CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r28c9009a48d52cf448f8b02cd823da0f8601d2dff4d66f387a35f1e0%40%3Cdev.atlas.apache.org%3E", }, { name: "[atlas-dev] 20200914 [jira] [Created] (ATLAS-3940) Upgrade snakeyaml to a version without CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb7b28ac741e32dd5edb2c22485d635275bead7290b056ee56baf8ce0%40%3Cdev.atlas.apache.org%3E", }, { name: "[atlas-dev] 20200914 [jira] [Updated] (ATLAS-3940) Upgrade snakeyaml to a version without CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/re791a854001ec1f79cd4f47328b270e7a1d9d7056debb8f16d962722%40%3Cdev.atlas.apache.org%3E", }, { name: "[atlas-commits] 20200915 [atlas] branch master updated: ATLAS-3940 : Upgrade snakeyaml to a version without CVE-2017-18640 (#110)", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rce5c93bba6e815fb62ad38e28ca1943b3019af1eddeb06507ad4e11a%40%3Ccommits.atlas.apache.org%3E", }, { name: "[atlas-dev] 20200915 [GitHub] [atlas] nixonrodrigues merged pull request #110: ATLAS-3940 : Upgrade snakeyaml to a version without CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5510f0125ba409fc1cabd098ab8b457741e5fa314cbd0e61e4339422%40%3Cdev.atlas.apache.org%3E", }, { name: "[atlas-dev] 20200915 [jira] [Commented] (ATLAS-3940) Upgrade snakeyaml to a version without CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2db207a2431a5e9e95e899858ab1f5eabd9bcc790a6ca7193ae07e94%40%3Cdev.atlas.apache.org%3E", }, { name: "[atlas-commits] 20200916 [atlas] 02/02: ATLAS-3940 : Upgrade snakeyaml to a version without CVE-2017-18640 (#110)", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r1058e7646988394de6a3fd0857ea9b1ee0de14d7bb28fee5ff782457%40%3Ccommits.atlas.apache.org%3E", }, { name: "[atlas-dev] 20200916 [jira] [Commented] (ATLAS-3940) Upgrade snakeyaml to a version without CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/re851bbfbedd47c690b6e01942acb98ee08bd00df1a94910b905bc8cd%40%3Cdev.atlas.apache.org%3E", }, { name: "[cassandra-commits] 20200930 [jira] [Created] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r56805265475919252ba7fc10123f15b91097f3009bae86476624ca25%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20200930 [jira] [Updated] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rbaa1f513d903c89a08267c91d86811fa5bcc82e0596b6142c5cea7ea%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20200930 [jira] [Comment Edited] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/reb1751562ee5146d3aca654a2df76a2c13d8036645ce69946f9c219e%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20200930 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r1ffce2ed3017e9964f03ad2c539d69e49144fc8e9bf772d641612f98%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20201001 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc3211c71f7e0973a1825d1988a3921288c06cd9d793eae97ecd34948%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20201002 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r55d807f31e64a080c54455897c20b1667ec792e5915132c7b7750533%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20201002 [jira] [Comment Edited] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/recfe569f4f260328b0036f1c82b2956e864d519ab941a5e75d0d832d%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20201007 [jira] [Updated] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf95bebee6dfcc55067cebe8482bd31e6f481d9f74ba8e03f860c3ec7%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20201007 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r1703a402f30c8a2ee409f8c6f393e95a63f8c952cc9ee5bf9dd586dc%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20201009 [jira] [Comment Edited] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r191ceadb1b883357384981848dfa5235cb02a90070c553afbaf9b3d9%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20201009 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r20350031c60a77b45e0eded33e9b3e9cb0cbfc5e24e1c63bf264df12%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20201009 [jira] [Updated] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd582c64f66c354240290072f340505f5d026ca944ec417226bb0272e%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20201009 [cassandra] branch trunk updated: Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb5c33d0069c927fae16084f0605895b98d231d7c48527bcb822ac48c%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[hadoop-common-issues] 20201026 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rcb4b61dbe2ed1c7a88781a9aff5a9e7342cc7ed026aec0418ee67596%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[hadoop-common-issues] 20201027 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/raebd2019b3da8c2f90f31e8b203b45353f78770ca93bfe5376f5532e%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[hadoop-common-issues] 20201028 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r4d7f37da1bc2df90a5a0f56eb7629b5ea131bfe11eeeb4b4c193f64a%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[hadoop-common-issues] 20201028 [jira] [Updated] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r22ac2aa053b7d9c6b75a49db78125c9316499668d0f4a044f3402e2f%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[hadoop-common-commits] 20201028 [hadoop] branch trunk updated: HADOOP-17236. Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640. Contributed by Brahma Reddy Battula.", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r1aab47b48a757c70e40fc0bcb1fcf1a3951afa6a17aee7cd66cf79f8%40%3Ccommon-commits.hadoop.apache.org%3E", }, { name: "[hadoop-common-commits] 20201028 [hadoop] branch branch-3.3 updated: HADOOP-17236. Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640. Contributed by Brahma Reddy Battula.", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rcb2a7037366c58bac6aec6ce3df843a11ef97ae4eb049f05f410eaa5%40%3Ccommon-commits.hadoop.apache.org%3E", }, { name: "[phoenix-dev] 20210419 [jira] [Created] (OMID-207) Upgrade to snakeyaml 1.26 due to CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r436988d2cfe8a770ae361c82b181c5b2bf48a249bad84d8a55a3b46e%40%3Cdev.phoenix.apache.org%3E", }, { name: "[phoenix-dev] 20210419 [GitHub] [phoenix-omid] richardantal opened a new pull request #93: OMID-207 Upgrade to snakeyaml 1.26 due to CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r7ce3de03facf7e7f3e24fc25d26d555818519dafdb20f29398a3414b%40%3Cdev.phoenix.apache.org%3E", }, { tags: [ "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { tags: [ "x_transferred", ], url: "https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion", }, { tags: [ "x_transferred", ], url: "https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.25/usages", }, { tags: [ "x_transferred", ], url: "https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack", }, { tags: [ "x_transferred", ], url: "https://lists.apache.org/thread.html/r4c682fb8cf69dd14162439656a6ebdf42ea6ad0e4edba95907ea3f14%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_transferred", ], url: "https://lists.apache.org/thread.html/r900e020760c89f082df1c6e0d46320eba721e4e47bb9eb521e68cd95%40%3Ccommits.servicecomb.apache.org%3E", }, { name: "[kafka-users] 20210617 vulnerabilities", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E", }, { name: "[hadoop-common-issues] 20211006 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r16ae4e529401b75a1f5aa462b272b31bf2a108236f882f06fddc14bc%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[hadoop-common-commits] 20211008 [hadoop] branch branch-3.2.3 updated: HADOOP-17236. Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640. Contributed by Brahma Reddy Battula.", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rfe0aab6c3bebbd9cbfdedb65ff3fdf420714bcb8acdfd346077e1263%40%3Ccommon-commits.hadoop.apache.org%3E", }, { name: "[hadoop-common-issues] 20211008 [jira] [Updated] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r182e9cf6f3fb22b9be0cac4ff0685199741d2ab6e9a4e27a3693c224%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[hadoop-common-commits] 20211008 [hadoop] branch branch-3.2 updated: HADOOP-17236. Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640. Contributed by Brahma Reddy Battula.", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/rdd34c0479587e32a656d976649409487d51ca0d296b3e26b6b89c3f5%40%3Ccommon-commits.hadoop.apache.org%3E", }, { name: "[hadoop-common-issues] 20211008 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r465d2553a31265b042cf5457ef649b71e0722ab89b6ea94a5d59529b%40%3Ccommon-issues.hadoop.apache.org%3E", }, { tags: [ "x_transferred", ], url: "https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes", }, { tags: [ "x_transferred", ], url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/377", }, { name: "GLSA-202305-28", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202305-28", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-05-21T00:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "FEDORA-2020-599514b47e", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKN7VGIKTYBCAKYBRG55QHXAY5UDZ7HA/", }, { name: "FEDORA-2020-23012fafbc", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTVJC54XGX26UJVVYCXZ7D25X3R5T2G6/", }, { name: "[pulsar-commits] 20200830 [GitHub] [pulsar] codelipenghui commented on issue #7928: CVE-2017-18640 exposure snakeyaml below 1.26", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r8b57c57cffa01e418868a3c7535b987635ff1fb5ab534203bfa2d64a%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[hadoop-common-dev] 20200830 [jira] [Created] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rb34d8d3269ad47a1400f5a1a2d8310e13a80b6576ebd7f512144198d%40%3Ccommon-dev.hadoop.apache.org%3E", }, { name: "[hadoop-common-issues] 20200830 [jira] [Updated] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r8464b6ec951aace8c807bac9ea526d4f9e3116aa16d38be06f7c6524%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[hadoop-common-issues] 20200830 [jira] [Created] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r643ba53f002ae59068f9352fe1d82e1b6f375387ffb776f13efe8fda%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[pulsar-commits] 20200831 [GitHub] [pulsar] wolfstudy edited a comment on issue #7928: CVE-2017-18640 exposure snakeyaml below 1.26", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r2b05744c0c2867daa5d1a96832965b7d6220328b0ead06c22a6e7854%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[pulsar-commits] 20200831 [GitHub] [pulsar] wolfstudy commented on issue #7928: CVE-2017-18640 exposure snakeyaml below 1.26", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r6c91e52b3cc9f4e64afe0f34f20507143fd1f756d12681a56a9b38da%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[hadoop-common-issues] 20200831 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r72a3588d62b2de1361dc9648f5d355385735e47f7ba49d089b0e680d%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[atlas-dev] 20200907 [GitHub] [atlas] crazylab opened a new pull request #109: Upgrade snakeyaml to a version without CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r1dfac8b6a7097bcb4979402bbb6e2f8c36d0d9001e3018717eb22b7e%40%3Cdev.atlas.apache.org%3E", }, { name: "[cassandra-pr] 20200907 [GitHub] [cassandra] crazylab opened a new pull request #736: Upgrade to a snakeyaml version without CVE", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rb0e033d5ec8233360203431ad96580cf2ec56f47d9a425d894e279c2%40%3Cpr.cassandra.apache.org%3E", }, { name: "[atlas-dev] 20200907 [GitHub] [atlas] crazylab opened a new pull request #110: Upgrade snakeyaml to a version without CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r2a5b84fdf59042dc398497e914b5bb1aed77328320b1438144ae1953%40%3Cdev.atlas.apache.org%3E", }, { name: "[atlas-dev] 20200907 [GitHub] [atlas] crazylab closed pull request #109: Upgrade snakeyaml to a version without CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r6d54c2da792c74cc14b9b7665ea89e144c9e238ed478d37fd56292e6%40%3Cdev.atlas.apache.org%3E", }, { name: "[pulsar-commits] 20200907 [GitHub] [pulsar] jiazhai closed issue #7928: CVE-2017-18640 exposure snakeyaml below 1.26", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r666f29a7d0e1f98fa1425ca01efcfa86e6e3856e01d300828aa7c6ea%40%3Ccommits.pulsar.apache.org%3E", }, { name: "[hadoop-common-issues] 20200909 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r154090b871cf96d985b90864442d84eb027c72c94bc3f0a5727ba2d1%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[atlas-dev] 20200914 [GitHub] [atlas] nixonrodrigues commented on pull request #110: ATLAS-3940 : Upgrade snakeyaml to a version without CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r28c9009a48d52cf448f8b02cd823da0f8601d2dff4d66f387a35f1e0%40%3Cdev.atlas.apache.org%3E", }, { name: "[atlas-dev] 20200914 [jira] [Created] (ATLAS-3940) Upgrade snakeyaml to a version without CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rb7b28ac741e32dd5edb2c22485d635275bead7290b056ee56baf8ce0%40%3Cdev.atlas.apache.org%3E", }, { name: "[atlas-dev] 20200914 [jira] [Updated] (ATLAS-3940) Upgrade snakeyaml to a version without CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/re791a854001ec1f79cd4f47328b270e7a1d9d7056debb8f16d962722%40%3Cdev.atlas.apache.org%3E", }, { name: "[atlas-commits] 20200915 [atlas] branch master updated: ATLAS-3940 : Upgrade snakeyaml to a version without CVE-2017-18640 (#110)", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rce5c93bba6e815fb62ad38e28ca1943b3019af1eddeb06507ad4e11a%40%3Ccommits.atlas.apache.org%3E", }, { name: "[atlas-dev] 20200915 [GitHub] [atlas] nixonrodrigues merged pull request #110: ATLAS-3940 : Upgrade snakeyaml to a version without CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r5510f0125ba409fc1cabd098ab8b457741e5fa314cbd0e61e4339422%40%3Cdev.atlas.apache.org%3E", }, { name: "[atlas-dev] 20200915 [jira] [Commented] (ATLAS-3940) Upgrade snakeyaml to a version without CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r2db207a2431a5e9e95e899858ab1f5eabd9bcc790a6ca7193ae07e94%40%3Cdev.atlas.apache.org%3E", }, { name: "[atlas-commits] 20200916 [atlas] 02/02: ATLAS-3940 : Upgrade snakeyaml to a version without CVE-2017-18640 (#110)", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r1058e7646988394de6a3fd0857ea9b1ee0de14d7bb28fee5ff782457%40%3Ccommits.atlas.apache.org%3E", }, { name: "[atlas-dev] 20200916 [jira] [Commented] (ATLAS-3940) Upgrade snakeyaml to a version without CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/re851bbfbedd47c690b6e01942acb98ee08bd00df1a94910b905bc8cd%40%3Cdev.atlas.apache.org%3E", }, { name: "[cassandra-commits] 20200930 [jira] [Created] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r56805265475919252ba7fc10123f15b91097f3009bae86476624ca25%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20200930 [jira] [Updated] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rbaa1f513d903c89a08267c91d86811fa5bcc82e0596b6142c5cea7ea%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20200930 [jira] [Comment Edited] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/reb1751562ee5146d3aca654a2df76a2c13d8036645ce69946f9c219e%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20200930 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r1ffce2ed3017e9964f03ad2c539d69e49144fc8e9bf772d641612f98%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20201001 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rc3211c71f7e0973a1825d1988a3921288c06cd9d793eae97ecd34948%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20201002 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r55d807f31e64a080c54455897c20b1667ec792e5915132c7b7750533%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20201002 [jira] [Comment Edited] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/recfe569f4f260328b0036f1c82b2956e864d519ab941a5e75d0d832d%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20201007 [jira] [Updated] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rf95bebee6dfcc55067cebe8482bd31e6f481d9f74ba8e03f860c3ec7%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20201007 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r1703a402f30c8a2ee409f8c6f393e95a63f8c952cc9ee5bf9dd586dc%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20201009 [jira] [Comment Edited] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r191ceadb1b883357384981848dfa5235cb02a90070c553afbaf9b3d9%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20201009 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r20350031c60a77b45e0eded33e9b3e9cb0cbfc5e24e1c63bf264df12%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20201009 [jira] [Updated] (CASSANDRA-16150) Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rd582c64f66c354240290072f340505f5d026ca944ec417226bb0272e%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20201009 [cassandra] branch trunk updated: Upgrade to snakeyaml >= 1.26 version for CVE-2017-18640 fix", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rb5c33d0069c927fae16084f0605895b98d231d7c48527bcb822ac48c%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[hadoop-common-issues] 20201026 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rcb4b61dbe2ed1c7a88781a9aff5a9e7342cc7ed026aec0418ee67596%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[hadoop-common-issues] 20201027 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/raebd2019b3da8c2f90f31e8b203b45353f78770ca93bfe5376f5532e%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[hadoop-common-issues] 20201028 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r4d7f37da1bc2df90a5a0f56eb7629b5ea131bfe11eeeb4b4c193f64a%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[hadoop-common-issues] 20201028 [jira] [Updated] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r22ac2aa053b7d9c6b75a49db78125c9316499668d0f4a044f3402e2f%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[hadoop-common-commits] 20201028 [hadoop] branch trunk updated: HADOOP-17236. Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640. Contributed by Brahma Reddy Battula.", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r1aab47b48a757c70e40fc0bcb1fcf1a3951afa6a17aee7cd66cf79f8%40%3Ccommon-commits.hadoop.apache.org%3E", }, { name: "[hadoop-common-commits] 20201028 [hadoop] branch branch-3.3 updated: HADOOP-17236. Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640. Contributed by Brahma Reddy Battula.", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rcb2a7037366c58bac6aec6ce3df843a11ef97ae4eb049f05f410eaa5%40%3Ccommon-commits.hadoop.apache.org%3E", }, { name: "[phoenix-dev] 20210419 [jira] [Created] (OMID-207) Upgrade to snakeyaml 1.26 due to CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r436988d2cfe8a770ae361c82b181c5b2bf48a249bad84d8a55a3b46e%40%3Cdev.phoenix.apache.org%3E", }, { name: "[phoenix-dev] 20210419 [GitHub] [phoenix-omid] richardantal opened a new pull request #93: OMID-207 Upgrade to snakeyaml 1.26 due to CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r7ce3de03facf7e7f3e24fc25d26d555818519dafdb20f29398a3414b%40%3Cdev.phoenix.apache.org%3E", }, { url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { url: "https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion", }, { url: "https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.25/usages", }, { url: "https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack", }, { url: "https://lists.apache.org/thread.html/r4c682fb8cf69dd14162439656a6ebdf42ea6ad0e4edba95907ea3f14%40%3Ccommits.servicecomb.apache.org%3E", }, { url: "https://lists.apache.org/thread.html/r900e020760c89f082df1c6e0d46320eba721e4e47bb9eb521e68cd95%40%3Ccommits.servicecomb.apache.org%3E", }, { name: "[kafka-users] 20210617 vulnerabilities", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E", }, { name: "[hadoop-common-issues] 20211006 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r16ae4e529401b75a1f5aa462b272b31bf2a108236f882f06fddc14bc%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[hadoop-common-commits] 20211008 [hadoop] branch branch-3.2.3 updated: HADOOP-17236. Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640. Contributed by Brahma Reddy Battula.", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rfe0aab6c3bebbd9cbfdedb65ff3fdf420714bcb8acdfd346077e1263%40%3Ccommon-commits.hadoop.apache.org%3E", }, { name: "[hadoop-common-issues] 20211008 [jira] [Updated] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r182e9cf6f3fb22b9be0cac4ff0685199741d2ab6e9a4e27a3693c224%40%3Ccommon-issues.hadoop.apache.org%3E", }, { name: "[hadoop-common-commits] 20211008 [hadoop] branch branch-3.2 updated: HADOOP-17236. Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640. Contributed by Brahma Reddy Battula.", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/rdd34c0479587e32a656d976649409487d51ca0d296b3e26b6b89c3f5%40%3Ccommon-commits.hadoop.apache.org%3E", }, { name: "[hadoop-common-issues] 20211008 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r465d2553a31265b042cf5457ef649b71e0722ab89b6ea94a5d59529b%40%3Ccommon-issues.hadoop.apache.org%3E", }, { url: "https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes", }, { url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/377", }, { name: "GLSA-202305-28", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202305-28", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-18640", datePublished: "2019-12-12T00:00:00", dateReserved: "2019-12-12T00:00:00", dateUpdated: "2024-08-05T21:28:55.802Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-29427
Vulnerability from cvelistv5
Published
2021-04-13 17:55
Modified
2024-08-03 22:02
Severity ?
EPSS score ?
Summary
In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the "A Confusing Dependency" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.gradle.org/7.0/release-notes.html#security-advisories | x_refsource_MISC | |
| https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T22:02:51.882Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://docs.gradle.org/7.0/release-notes.html#security-advisories", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "gradle", vendor: "gradle", versions: [ { status: "affected", version: ">= 5.1, <= 6.8.3", }, ], }, ], descriptions: [ { lang: "en", value: "In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the \"A Confusing Dependency\" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-829", description: "CWE-829 Inclusion of Functionality from Untrusted Control Sphere", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-04-13T17:55:24", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://docs.gradle.org/7.0/release-notes.html#security-advisories", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395", }, ], source: { advisory: "GHSA-jvmj-rh6q-x395", discovery: "UNKNOWN", }, title: "Repository content filters do not work in Settings pluginManagement", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-29427", STATE: "PUBLIC", TITLE: "Repository content filters do not work in Settings pluginManagement", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "gradle", version: { version_data: [ { version_value: ">= 5.1, <= 6.8.3", }, ], }, }, ], }, vendor_name: "gradle", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the \"A Confusing Dependency\" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-829 Inclusion of Functionality from Untrusted Control Sphere", }, ], }, ], }, references: { reference_data: [ { name: "https://docs.gradle.org/7.0/release-notes.html#security-advisories", refsource: "MISC", url: "https://docs.gradle.org/7.0/release-notes.html#security-advisories", }, { name: "https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395", refsource: "CONFIRM", url: "https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395", }, ], }, source: { advisory: "GHSA-jvmj-rh6q-x395", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-29427", datePublished: "2021-04-13T17:55:24", dateReserved: "2021-03-30T00:00:00", dateUpdated: "2024-08-03T22:02:51.882Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-2466
Vulnerability from cvelistv5
Published
2022-08-31 15:33
Modified
2024-08-03 00:39
Severity ?
EPSS score ?
Summary
It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/quarkusio/quarkus/issues/26748 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T00:39:07.746Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/quarkusio/quarkus/issues/26748", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "quarkus", vendor: "n/a", versions: [ { status: "affected", version: "quarkus 2.10.3", }, ], }, ], descriptions: [ { lang: "en", value: "It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-444", description: "CWE-444", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-08-31T15:33:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/quarkusio/quarkus/issues/26748", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2022-2466", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "quarkus", version: { version_data: [ { version_value: "quarkus 2.10.3", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-444", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/quarkusio/quarkus/issues/26748", refsource: "MISC", url: "https://github.com/quarkusio/quarkus/issues/26748", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2022-2466", datePublished: "2022-08-31T15:33:01", dateReserved: "2022-07-19T00:00:00", dateUpdated: "2024-08-03T00:39:07.746Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-1728
Vulnerability from cvelistv5
Published
2020-04-06 13:04
Modified
2024-08-04 06:46
Severity ?
EPSS score ?
Summary
A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T06:46:30.949Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "keycloak", vendor: "[UNKNOWN]", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-358", description: "CWE-358", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2020-04-06T13:04:23", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2020-1728", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "keycloak", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "[UNKNOWN]", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.", }, ], }, impact: { cvss: [ [ { vectorString: "4.8/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, ], ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-358", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2020-1728", datePublished: "2020-04-06T13:04:23", dateReserved: "2019-11-27T00:00:00", dateUpdated: "2024-08-04T06:46:30.949Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-25649
Vulnerability from cvelistv5
Published
2020-12-03 16:16
Modified
2024-08-04 15:40
Severity ?
EPSS score ?
Summary
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | jackson-databind |
Version: jackson-databind-2.11.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T15:40:36.648Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1887664", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/FasterXML/jackson-databind/issues/2589", }, { name: "[kafka-jira] 20201205 [GitHub] [kafka] sirocchj opened a new pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130%40%3Cjira.kafka.apache.org%3E", }, { name: "[druid-commits] 20201208 [GitHub] [druid] jihoonson opened a new pull request #10655: Bump up jackson-databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda%40%3Ccommits.druid.apache.org%3E", }, { name: "[kafka-jira] 20201209 [GitHub] [kafka] ijuma commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201209 [GitHub] [kafka] niteshmor commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201209 [GitHub] [kafka] sirocchj edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201209 [GitHub] [kafka] sirocchj commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201210 [GitHub] [kafka] sirocchj commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201210 [GitHub] [kafka] niteshmor edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201210 [GitHub] [kafka] niteshmor commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201215 [GitHub] [kafka] ijuma commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-users] 20201215 Re: [VOTE] 2.7.0 RC5", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304%40%3Cusers.kafka.apache.org%3E", }, { name: "[kafka-dev] 20201215 Re: [VOTE] 2.7.0 RC5", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201215 [GitHub] [kafka] ijuma merged pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201215 [GitHub] [kafka] ijuma edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e%40%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210105 [jira] [Created] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210105 [jira] [Updated] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210105 [jira] [Created] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0%40%3Cdev.zookeeper.apache.org%3E", }, { name: "[kafka-dev] 20210105 Re: [kafka-clients] Re: [VOTE] 2.6.1 RC3", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-users] 20210105 Re: [kafka-clients] Re: [VOTE] 2.6.1 RC3", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080%40%3Cusers.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210106 [jira] [Updated] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210106 [GitHub] [zookeeper] edwin092 opened a new pull request #1572: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210106 [jira] [Commented] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210106 [GitHub] [zookeeper] asfgit closed pull request #1572: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.5.9 updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210106 [GitHub] [zookeeper] nkalmar commented on pull request #1572: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210106 [zookeeper] branch master updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210116 [jira] [Commented] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[flink-issues] 20210121 [GitHub] [flink-shaded] HuangXingBo opened a new pull request #93: [FLINK-21020][jackson] Bump version to 2.12.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3%40%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210122 [GitHub] [flink-shaded] HuangXingBo opened a new pull request #93: [FLINK-21020][jackson] Bump version to 2.12.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd%40%3Cissues.flink.apache.org%3E", }, { name: "[tomee-commits] 20210127 [jira] [Created] (TOMEE-2965) CVE-2020-25649 - Update jackson databind", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a%40%3Ccommits.tomee.apache.org%3E", }, { name: "FEDORA-2021-1d8254899c", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT/", }, { name: "[karaf-commits] 20210217 [GitHub] [karaf] svogt opened a new pull request #1296: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1%40%3Ccommits.karaf.apache.org%3E", }, { name: "[karaf-commits] 20210217 [GitHub] [karaf] jbonofre merged pull request #1296: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb%40%3Ccommits.karaf.apache.org%3E", }, { name: "[karaf-commits] 20210217 [karaf] branch master updated: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22%40%3Ccommits.karaf.apache.org%3E", }, { name: "[karaf-commits] 20210217 [GitHub] [karaf] jbonofre commented on pull request #1296: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402%40%3Ccommits.karaf.apache.org%3E", }, { name: "[hive-issues] 20210223 [jira] [Assigned] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-dev] 20210223 [jira] [Created] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1%40%3Cdev.hive.apache.org%3E", }, { name: "[hive-issues] 20210223 [jira] [Updated] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20210223 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20210315 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20210316 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7%40%3Cissues.hive.apache.org%3E", }, { name: "[turbine-commits] 20210316 svn commit: r1887732 - in /turbine/fulcrum/trunk/json: ./ jackson/ jackson/src/test/org/apache/fulcrum/json/jackson/ jackson2/ jackson2/src/test/org/apache/fulcrum/json/jackson/ jackson2/src/test/org/apache/fulcrum/json/jackson/mixins/", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386%40%3Ccommits.turbine.apache.org%3E", }, { name: "[iotdb-notifications] 20210324 [jira] [Created] (IOTDB-1256) Jackson have loopholes CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8%40%3Cnotifications.iotdb.apache.org%3E", }, { name: "[iotdb-reviews] 20210324 [GitHub] [iotdb] wangchao316 opened a new pull request #2896: [IOTDB-1256] Jackson have loopholes CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042%40%3Creviews.iotdb.apache.org%3E", }, { name: "[iotdb-reviews] 20210324 [GitHub] [iotdb] wangchao316 closed pull request #2896: [IOTDB-1256] Jackson have loopholes CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60%40%3Creviews.iotdb.apache.org%3E", }, { name: "[iotdb-commits] 20210325 [iotdb] branch master updated: [IOTDB-1256] upgrade Jackson to 2.11.0 because of loopholes CVE-2020-25649 (#2896)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07%40%3Ccommits.iotdb.apache.org%3E", }, { name: "[iotdb-reviews] 20210325 [GitHub] [iotdb] jixuan1989 merged pull request #2896: [IOTDB-1256] Jackson have loopholes CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb%40%3Creviews.iotdb.apache.org%3E", }, { name: "[hive-issues] 20210503 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20210510 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20210514 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524%40%3Cissues.hive.apache.org%3E", }, { name: "[knox-dev] 20210601 [jira] [Created] (KNOX-2614) Upgrade Jackson due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb%40%3Cdev.knox.apache.org%3E", }, { name: "[knox-dev] 20210601 [jira] [Updated] (KNOX-2614) Upgrade jackson-databind to 2.10.5 due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61%40%3Cdev.knox.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210108-0007/", }, { name: "[spark-user] 20210621 Re: CVEs", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3%40%3Cuser.spark.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "[kafka-dev] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-users] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E", }, { name: "[kafka-users] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E", }, { name: "[kafka-dev] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E", }, { name: "[hive-issues] 20211012 [jira] [Resolved] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20211012 [jira] [Updated] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949%40%3Cissues.hive.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "jackson-databind", vendor: "n/a", versions: [ { status: "affected", version: "jackson-databind-2.11.0", }, ], }, ], descriptions: [ { lang: "en", value: "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-611", description: "CWE-611", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-25T16:15:31", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1887664", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/FasterXML/jackson-databind/issues/2589", }, { name: "[kafka-jira] 20201205 [GitHub] [kafka] sirocchj opened a new pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130%40%3Cjira.kafka.apache.org%3E", }, { name: "[druid-commits] 20201208 [GitHub] [druid] jihoonson opened a new pull request #10655: Bump up jackson-databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda%40%3Ccommits.druid.apache.org%3E", }, { name: "[kafka-jira] 20201209 [GitHub] [kafka] ijuma commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201209 [GitHub] [kafka] niteshmor commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201209 [GitHub] [kafka] sirocchj edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201209 [GitHub] [kafka] sirocchj commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201210 [GitHub] [kafka] sirocchj commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201210 [GitHub] [kafka] niteshmor edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201210 [GitHub] [kafka] niteshmor commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201215 [GitHub] [kafka] ijuma commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-users] 20201215 Re: [VOTE] 2.7.0 RC5", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304%40%3Cusers.kafka.apache.org%3E", }, { name: "[kafka-dev] 20201215 Re: [VOTE] 2.7.0 RC5", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201215 [GitHub] [kafka] ijuma merged pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71%40%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201215 [GitHub] [kafka] ijuma edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e%40%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210105 [jira] [Created] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210105 [jira] [Updated] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210105 [jira] [Created] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0%40%3Cdev.zookeeper.apache.org%3E", }, { name: "[kafka-dev] 20210105 Re: [kafka-clients] Re: [VOTE] 2.6.1 RC3", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-users] 20210105 Re: [kafka-clients] Re: [VOTE] 2.6.1 RC3", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080%40%3Cusers.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210106 [jira] [Updated] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210106 [GitHub] [zookeeper] edwin092 opened a new pull request #1572: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210106 [jira] [Commented] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210106 [GitHub] [zookeeper] asfgit closed pull request #1572: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.5.9 updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210106 [GitHub] [zookeeper] nkalmar commented on pull request #1572: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a%40%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210106 [zookeeper] branch master updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5%40%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210116 [jira] [Commented] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604%40%3Cissues.zookeeper.apache.org%3E", }, { name: "[flink-issues] 20210121 [GitHub] [flink-shaded] HuangXingBo opened a new pull request #93: [FLINK-21020][jackson] Bump version to 2.12.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3%40%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210122 [GitHub] [flink-shaded] HuangXingBo opened a new pull request #93: [FLINK-21020][jackson] Bump version to 2.12.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd%40%3Cissues.flink.apache.org%3E", }, { name: "[tomee-commits] 20210127 [jira] [Created] (TOMEE-2965) CVE-2020-25649 - Update jackson databind", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a%40%3Ccommits.tomee.apache.org%3E", }, { name: "FEDORA-2021-1d8254899c", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT/", }, { name: "[karaf-commits] 20210217 [GitHub] [karaf] svogt opened a new pull request #1296: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1%40%3Ccommits.karaf.apache.org%3E", }, { name: "[karaf-commits] 20210217 [GitHub] [karaf] jbonofre merged pull request #1296: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb%40%3Ccommits.karaf.apache.org%3E", }, { name: "[karaf-commits] 20210217 [karaf] branch master updated: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22%40%3Ccommits.karaf.apache.org%3E", }, { name: "[karaf-commits] 20210217 [GitHub] [karaf] jbonofre commented on pull request #1296: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402%40%3Ccommits.karaf.apache.org%3E", }, { name: "[hive-issues] 20210223 [jira] [Assigned] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-dev] 20210223 [jira] [Created] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1%40%3Cdev.hive.apache.org%3E", }, { name: "[hive-issues] 20210223 [jira] [Updated] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20210223 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20210315 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20210316 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7%40%3Cissues.hive.apache.org%3E", }, { name: "[turbine-commits] 20210316 svn commit: r1887732 - in /turbine/fulcrum/trunk/json: ./ jackson/ jackson/src/test/org/apache/fulcrum/json/jackson/ jackson2/ jackson2/src/test/org/apache/fulcrum/json/jackson/ jackson2/src/test/org/apache/fulcrum/json/jackson/mixins/", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386%40%3Ccommits.turbine.apache.org%3E", }, { name: "[iotdb-notifications] 20210324 [jira] [Created] (IOTDB-1256) Jackson have loopholes CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8%40%3Cnotifications.iotdb.apache.org%3E", }, { name: "[iotdb-reviews] 20210324 [GitHub] [iotdb] wangchao316 opened a new pull request #2896: [IOTDB-1256] Jackson have loopholes CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042%40%3Creviews.iotdb.apache.org%3E", }, { name: "[iotdb-reviews] 20210324 [GitHub] [iotdb] wangchao316 closed pull request #2896: [IOTDB-1256] Jackson have loopholes CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60%40%3Creviews.iotdb.apache.org%3E", }, { name: "[iotdb-commits] 20210325 [iotdb] branch master updated: [IOTDB-1256] upgrade Jackson to 2.11.0 because of loopholes CVE-2020-25649 (#2896)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07%40%3Ccommits.iotdb.apache.org%3E", }, { name: "[iotdb-reviews] 20210325 [GitHub] [iotdb] jixuan1989 merged pull request #2896: [IOTDB-1256] Jackson have loopholes CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb%40%3Creviews.iotdb.apache.org%3E", }, { name: "[hive-issues] 20210503 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20210510 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20210514 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524%40%3Cissues.hive.apache.org%3E", }, { name: "[knox-dev] 20210601 [jira] [Created] (KNOX-2614) Upgrade Jackson due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb%40%3Cdev.knox.apache.org%3E", }, { name: "[knox-dev] 20210601 [jira] [Updated] (KNOX-2614) Upgrade jackson-databind to 2.10.5 due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61%40%3Cdev.knox.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83%40%3Ccommits.servicecomb.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20210108-0007/", }, { name: "[spark-user] 20210621 Re: CVEs", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3%40%3Cuser.spark.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "[kafka-dev] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-users] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E", }, { name: "[kafka-users] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E", }, { name: "[kafka-dev] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E", }, { name: "[hive-issues] 20211012 [jira] [Resolved] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc%40%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20211012 [jira] [Updated] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949%40%3Cissues.hive.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2020-25649", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "jackson-databind", version: { version_data: [ { version_value: "jackson-databind-2.11.0", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-611", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1887664", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1887664", }, { name: "https://github.com/FasterXML/jackson-databind/issues/2589", refsource: "MISC", url: "https://github.com/FasterXML/jackson-databind/issues/2589", }, { name: "[kafka-jira] 20201205 [GitHub] [kafka] sirocchj opened a new pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130@%3Cjira.kafka.apache.org%3E", }, { name: "[druid-commits] 20201208 [GitHub] [druid] jihoonson opened a new pull request #10655: Bump up jackson-databind to 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda@%3Ccommits.druid.apache.org%3E", }, { name: "[kafka-jira] 20201209 [GitHub] [kafka] ijuma commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201209 [GitHub] [kafka] niteshmor commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201209 [GitHub] [kafka] sirocchj edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201209 [GitHub] [kafka] sirocchj commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201210 [GitHub] [kafka] sirocchj commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201210 [GitHub] [kafka] niteshmor edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201210 [GitHub] [kafka] niteshmor commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201215 [GitHub] [kafka] ijuma commented on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-users] 20201215 Re: [VOTE] 2.7.0 RC5", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cusers.kafka.apache.org%3E", }, { name: "[kafka-dev] 20201215 Re: [VOTE] 2.7.0 RC5", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201215 [GitHub] [kafka] ijuma merged pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71@%3Cjira.kafka.apache.org%3E", }, { name: "[kafka-jira] 20201215 [GitHub] [kafka] ijuma edited a comment on pull request #9702: CVE-2020-25649: bumping jackson to patched version 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e@%3Cjira.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210105 [jira] [Created] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210105 [jira] [Updated] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-dev] 20210105 [jira] [Created] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0@%3Cdev.zookeeper.apache.org%3E", }, { name: "[kafka-dev] 20210105 Re: [kafka-clients] Re: [VOTE] 2.6.1 RC3", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-users] 20210105 Re: [kafka-clients] Re: [VOTE] 2.6.1 RC3", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cusers.kafka.apache.org%3E", }, { name: "[zookeeper-issues] 20210106 [jira] [Updated] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210106 [GitHub] [zookeeper] edwin092 opened a new pull request #1572: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4@%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210106 [jira] [Commented] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb@%3Cissues.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210106 [GitHub] [zookeeper] asfgit closed pull request #1572: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805@%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.5.9 updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d@%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7@%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210106 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc@%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-notifications] 20210106 [GitHub] [zookeeper] nkalmar commented on pull request #1572: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a@%3Cnotifications.zookeeper.apache.org%3E", }, { name: "[zookeeper-commits] 20210106 [zookeeper] branch master updated: ZOOKEEPER-4045: CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5@%3Ccommits.zookeeper.apache.org%3E", }, { name: "[zookeeper-issues] 20210116 [jira] [Commented] (ZOOKEEPER-4045) CVE-2020-25649 - Upgrade jackson databind to 2.10.5.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604@%3Cissues.zookeeper.apache.org%3E", }, { name: "[flink-issues] 20210121 [GitHub] [flink-shaded] HuangXingBo opened a new pull request #93: [FLINK-21020][jackson] Bump version to 2.12.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3@%3Cissues.flink.apache.org%3E", }, { name: "[flink-issues] 20210122 [GitHub] [flink-shaded] HuangXingBo opened a new pull request #93: [FLINK-21020][jackson] Bump version to 2.12.1", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd@%3Cissues.flink.apache.org%3E", }, { name: "[tomee-commits] 20210127 [jira] [Created] (TOMEE-2965) CVE-2020-25649 - Update jackson databind", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a@%3Ccommits.tomee.apache.org%3E", }, { name: "FEDORA-2021-1d8254899c", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT/", }, { name: "[karaf-commits] 20210217 [GitHub] [karaf] svogt opened a new pull request #1296: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965", refsource: "MLIST", url: "https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1@%3Ccommits.karaf.apache.org%3E", }, { name: "[karaf-commits] 20210217 [GitHub] [karaf] jbonofre merged pull request #1296: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb@%3Ccommits.karaf.apache.org%3E", }, { name: "[karaf-commits] 20210217 [karaf] branch master updated: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22@%3Ccommits.karaf.apache.org%3E", }, { name: "[karaf-commits] 20210217 [GitHub] [karaf] jbonofre commented on pull request #1296: Update jackson-databind to fix CVE-2020-25649 / BDSA-2020-2965", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402@%3Ccommits.karaf.apache.org%3E", }, { name: "[hive-issues] 20210223 [jira] [Assigned] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d@%3Cissues.hive.apache.org%3E", }, { name: "[hive-dev] 20210223 [jira] [Created] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1@%3Cdev.hive.apache.org%3E", }, { name: "[hive-issues] 20210223 [jira] [Updated] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd@%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20210223 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34@%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20210315 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b@%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20210316 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7@%3Cissues.hive.apache.org%3E", }, { name: "[turbine-commits] 20210316 svn commit: r1887732 - in /turbine/fulcrum/trunk/json: ./ jackson/ jackson/src/test/org/apache/fulcrum/json/jackson/ jackson2/ jackson2/src/test/org/apache/fulcrum/json/jackson/ jackson2/src/test/org/apache/fulcrum/json/jackson/mixins/", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386@%3Ccommits.turbine.apache.org%3E", }, { name: "[iotdb-notifications] 20210324 [jira] [Created] (IOTDB-1256) Jackson have loopholes CVE-2020-25649", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8@%3Cnotifications.iotdb.apache.org%3E", }, { name: "[iotdb-reviews] 20210324 [GitHub] [iotdb] wangchao316 opened a new pull request #2896: [IOTDB-1256] Jackson have loopholes CVE-2020-25649", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042@%3Creviews.iotdb.apache.org%3E", }, { name: "[iotdb-reviews] 20210324 [GitHub] [iotdb] wangchao316 closed pull request #2896: [IOTDB-1256] Jackson have loopholes CVE-2020-25649", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60@%3Creviews.iotdb.apache.org%3E", }, { name: "[iotdb-commits] 20210325 [iotdb] branch master updated: [IOTDB-1256] upgrade Jackson to 2.11.0 because of loopholes CVE-2020-25649 (#2896)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07@%3Ccommits.iotdb.apache.org%3E", }, { name: "[iotdb-reviews] 20210325 [GitHub] [iotdb] jixuan1989 merged pull request #2896: [IOTDB-1256] Jackson have loopholes CVE-2020-25649", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb@%3Creviews.iotdb.apache.org%3E", }, { name: "[hive-issues] 20210503 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00@%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20210510 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1@%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20210514 [jira] [Work logged] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524@%3Cissues.hive.apache.org%3E", }, { name: "[knox-dev] 20210601 [jira] [Created] (KNOX-2614) Upgrade Jackson due to CVE-2020-25649", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb@%3Cdev.knox.apache.org%3E", }, { name: "[knox-dev] 20210601 [jira] [Updated] (KNOX-2614) Upgrade jackson-databind to 2.10.5 due to CVE-2020-25649", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61@%3Cdev.knox.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuApr2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { name: "https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83@%3Ccommits.servicecomb.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83@%3Ccommits.servicecomb.apache.org%3E", }, { name: "https://security.netapp.com/advisory/ntap-20210108-0007/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20210108-0007/", }, { name: "[spark-user] 20210621 Re: CVEs", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3@%3Cuser.spark.apache.org%3E", }, { name: "https://www.oracle.com//security-alerts/cpujul2021.html", refsource: "MISC", url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "[kafka-dev] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E", }, { name: "[kafka-users] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E", }, { name: "[kafka-users] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E", }, { name: "[kafka-dev] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E", }, { name: "[hive-issues] 20211012 [jira] [Resolved] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc@%3Cissues.hive.apache.org%3E", }, { name: "[hive-issues] 20211012 [jira] [Updated] (HIVE-24816) Upgrade jackson to 2.10.5.1 or 2.11.0+ due to CVE-2020-25649", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949@%3Cissues.hive.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { name: "https://www.oracle.com/security-alerts/cpujul2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2020-25649", datePublished: "2020-12-03T16:16:50", dateReserved: "2020-09-16T00:00:00", dateUpdated: "2024-08-04T15:40:36.648Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-1714
Vulnerability from cvelistv5
Published
2020-05-13 18:25
Modified
2024-08-04 06:46
Severity ?
EPSS score ?
Summary
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714 | x_refsource_CONFIRM | |
| https://github.com/keycloak/keycloak/pull/7053 | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T06:46:30.830Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/keycloak/keycloak/pull/7053", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "keycloak", vendor: "Red Hat", versions: [ { status: "affected", version: "before 11.0.0", }, ], }, ], descriptions: [ { lang: "en", value: "A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2020-05-13T18:25:56", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/keycloak/keycloak/pull/7053", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2020-1714", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "keycloak", version: { version_data: [ { version_value: "before 11.0.0", }, ], }, }, ], }, vendor_name: "Red Hat", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.", }, ], }, impact: { cvss: [ [ { vectorString: "7.5/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, ], ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-20", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714", }, { name: "https://github.com/keycloak/keycloak/pull/7053", refsource: "CONFIRM", url: "https://github.com/keycloak/keycloak/pull/7053", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2020-1714", datePublished: "2020-05-13T18:25:56", dateReserved: "2019-11-27T00:00:00", dateUpdated: "2024-08-04T06:46:30.830Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-43797
Vulnerability from cvelistv5
Published
2021-12-09 00:00
Modified
2024-08-04 04:03
Severity ?
EPSS score ?
Summary
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T04:03:08.898Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq", }, { tags: [ "x_transferred", ], url: "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", }, { tags: [ "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220107-0003/", }, { tags: [ "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { name: "[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html", }, { name: "DSA-5316", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2023/dsa-5316", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "netty", vendor: "netty", versions: [ { status: "affected", version: "<= 4.1.7.0.Final", }, ], }, ], descriptions: [ { lang: "en", value: "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to \"sanitize\" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-444", description: "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-12T00:00:00", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq", }, { url: "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", }, { url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { url: "https://security.netapp.com/advisory/ntap-20220107-0003/", }, { url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { name: "[debian-lts-announce] 20230111 [SECURITY] [DLA 3268-1] netty security update", tags: [ "mailing-list", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html", }, { name: "DSA-5316", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2023/dsa-5316", }, ], source: { advisory: "GHSA-wx5j-54mm-rqqq", discovery: "UNKNOWN", }, title: "HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-43797", datePublished: "2021-12-09T00:00:00", dateReserved: "2021-11-16T00:00:00", dateUpdated: "2024-08-04T04:03:08.898Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-21724
Vulnerability from cvelistv5
Published
2022-02-02 11:48
Modified
2024-08-03 02:53
Severity ?
EPSS score ?
Summary
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4 | x_refsource_CONFIRM | |
| https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813 | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20220311-0005/ | x_refsource_CONFIRM | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html | mailing-list, x_refsource_MLIST | |
| https://www.debian.org/security/2022/dsa-5196 | vendor-advisory, x_refsource_DEBIAN |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T02:53:35.324Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220311-0005/", }, { name: "FEDORA-2022-1151f65e9a", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/", }, { name: "[debian-lts-announce] 20220520 [SECURITY] [DLA 3018-1] libpgjava security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html", }, { name: "DSA-5196", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5196", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-31T19:06:26", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20220311-0005/", }, { name: "FEDORA-2022-1151f65e9a", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/", }, { name: "[debian-lts-announce] 20220520 [SECURITY] [DLA 3018-1] libpgjava security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html", }, { name: "DSA-5196", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2022/dsa-5196", }, ], source: { advisory: "GHSA-v7wg-cpwc-24m4", discovery: "UNKNOWN", }, title: "Unchecked Class Instantiation when providing Plugin Classes", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2022-21724", STATE: "PUBLIC", TITLE: "Unchecked Class Instantiation when providing Plugin Classes", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4", refsource: "CONFIRM", url: "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4", }, { name: "https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813", refsource: "MISC", url: "https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813", }, { name: "https://security.netapp.com/advisory/ntap-20220311-0005/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20220311-0005/", }, { name: "FEDORA-2022-1151f65e9a", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/", }, { name: "[debian-lts-announce] 20220520 [SECURITY] [DLA 3018-1] libpgjava security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html", }, { name: "DSA-5196", refsource: "DEBIAN", url: "https://www.debian.org/security/2022/dsa-5196", }, ], }, source: { advisory: "GHSA-v7wg-cpwc-24m4", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-21724", datePublished: "2022-02-02T11:48:52", dateReserved: "2021-11-16T00:00:00", dateUpdated: "2024-08-03T02:53:35.324Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-37714
Vulnerability from cvelistv5
Published
2021-08-18 15:10
Modified
2024-08-04 01:23
Severity ?
EPSS score ?
Summary
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T01:23:01.524Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jsoup.org/news/release-1.14.1", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://jsoup.org/news/release-1.14.2", }, { name: "[james-notifications] 20210820 [GitHub] [james-project] chibenwa opened a new pull request #609: [UPGRADE] JSOUP 1.14.1 -> 1.14.2 to address CVE-2021-37714", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b%40%3Cnotifications.james.apache.org%3E", }, { name: "[james-notifications] 20210823 [GitHub] [james-project] chibenwa merged pull request #609: [UPGRADE] JSOUP 1.14.1 -> 1.14.2 to address CVE-2021-37714", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa%40%3Cnotifications.james.apache.org%3E", }, { name: "[james-notifications] 20210823 [james-project] branch master updated: [UPGRADE] JSOUP 1.14.1 -> 1.14.2 to address CVE-2021-37714", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe%40%3Cnotifications.james.apache.org%3E", }, { name: "[maven-issues] 20210830 [jira] [Created] (WAGON-612) Update jsoup to >= 1.14.2 for fix security issue", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e%40%3Cissues.maven.apache.org%3E", }, { name: "[maven-issues] 20210901 [jira] [Created] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0%40%3Cissues.maven.apache.org%3E", }, { name: "[maven-issues] 20210901 [jira] [Updated] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7%40%3Cissues.maven.apache.org%3E", }, { name: "[maven-issues] 20210901 [jira] [Commented] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e%40%3Cissues.maven.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220210-0022/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "jsoup", vendor: "jhy", versions: [ { status: "affected", version: "< 1.14.2", }, ], }, ], descriptions: [ { lang: "en", value: "jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-835", description: "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-248", description: "CWE-248: Uncaught Exception", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-25T16:31:13", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c", }, { tags: [ "x_refsource_MISC", ], url: "https://jsoup.org/news/release-1.14.1", }, { tags: [ "x_refsource_MISC", ], url: "https://jsoup.org/news/release-1.14.2", }, { name: "[james-notifications] 20210820 [GitHub] [james-project] chibenwa opened a new pull request #609: [UPGRADE] JSOUP 1.14.1 -> 1.14.2 to address CVE-2021-37714", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b%40%3Cnotifications.james.apache.org%3E", }, { name: "[james-notifications] 20210823 [GitHub] [james-project] chibenwa merged pull request #609: [UPGRADE] JSOUP 1.14.1 -> 1.14.2 to address CVE-2021-37714", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa%40%3Cnotifications.james.apache.org%3E", }, { name: "[james-notifications] 20210823 [james-project] branch master updated: [UPGRADE] JSOUP 1.14.1 -> 1.14.2 to address CVE-2021-37714", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe%40%3Cnotifications.james.apache.org%3E", }, { name: "[maven-issues] 20210830 [jira] [Created] (WAGON-612) Update jsoup to >= 1.14.2 for fix security issue", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e%40%3Cissues.maven.apache.org%3E", }, { name: "[maven-issues] 20210901 [jira] [Created] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0%40%3Cissues.maven.apache.org%3E", }, { name: "[maven-issues] 20210901 [jira] [Updated] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7%40%3Cissues.maven.apache.org%3E", }, { name: "[maven-issues] 20210901 [jira] [Commented] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e%40%3Cissues.maven.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20220210-0022/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], source: { advisory: "GHSA-m72m-mhq2-9p6c", discovery: "UNKNOWN", }, title: "Crafted input may cause the jsoup HTML and XML parser to get stuck, timeout, or throw unchecked exceptions", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-37714", STATE: "PUBLIC", TITLE: "Crafted input may cause the jsoup HTML and XML parser to get stuck, timeout, or throw unchecked exceptions", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "jsoup", version: { version_data: [ { version_value: "< 1.14.2", }, ], }, }, ], }, vendor_name: "jhy", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')", }, ], }, { description: [ { lang: "eng", value: "CWE-248: Uncaught Exception", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c", refsource: "CONFIRM", url: "https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c", }, { name: "https://jsoup.org/news/release-1.14.1", refsource: "MISC", url: "https://jsoup.org/news/release-1.14.1", }, { name: "https://jsoup.org/news/release-1.14.2", refsource: "MISC", url: "https://jsoup.org/news/release-1.14.2", }, { name: "[james-notifications] 20210820 [GitHub] [james-project] chibenwa opened a new pull request #609: [UPGRADE] JSOUP 1.14.1 -> 1.14.2 to address CVE-2021-37714", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b@%3Cnotifications.james.apache.org%3E", }, { name: "[james-notifications] 20210823 [GitHub] [james-project] chibenwa merged pull request #609: [UPGRADE] JSOUP 1.14.1 -> 1.14.2 to address CVE-2021-37714", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa@%3Cnotifications.james.apache.org%3E", }, { name: "[james-notifications] 20210823 [james-project] branch master updated: [UPGRADE] JSOUP 1.14.1 -> 1.14.2 to address CVE-2021-37714", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe@%3Cnotifications.james.apache.org%3E", }, { name: "[maven-issues] 20210830 [jira] [Created] (WAGON-612) Update jsoup to >= 1.14.2 for fix security issue", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e@%3Cissues.maven.apache.org%3E", }, { name: "[maven-issues] 20210901 [jira] [Created] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0@%3Cissues.maven.apache.org%3E", }, { name: "[maven-issues] 20210901 [jira] [Updated] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7@%3Cissues.maven.apache.org%3E", }, { name: "[maven-issues] 20210901 [jira] [Commented] (MNG-7227) Fix CVE-2021-37714 present in apache-maven", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e@%3Cissues.maven.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { name: "https://security.netapp.com/advisory/ntap-20220210-0022/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20220210-0022/", }, { name: "https://www.oracle.com/security-alerts/cpujul2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], }, source: { advisory: "GHSA-m72m-mhq2-9p6c", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-37714", datePublished: "2021-08-18T15:10:11", dateReserved: "2021-07-29T00:00:00", dateUpdated: "2024-08-04T01:23:01.524Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-4853
Vulnerability from cvelistv5
Published
2023-09-20 09:47
Modified
2024-11-23 01:02
Severity ?
EPSS score ?
Summary
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Red Hat | Openshift Serverless 1 on RHEL 8 |
Unaffected: 0:1.9.2-3.el8 < * cpe:/a:redhat:serverless:1.0::el8 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T07:38:00.803Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2023:5170", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:5170", }, { name: "RHSA-2023:5310", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:5310", }, { name: "RHSA-2023:5337", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:5337", }, { name: "RHSA-2023:5446", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:5446", }, { name: "RHSA-2023:5479", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:5479", }, { name: "RHSA-2023:5480", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:5480", }, { name: "RHSA-2023:6107", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:6107", }, { name: "RHSA-2023:6112", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:6112", }, { name: "RHSA-2023:7653", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:7653", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-4853", }, { name: "RHSB-2023-002", tags: [ "technical-description", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002", }, { name: "RHBZ#2238034", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2238034", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:serverless:1.0::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-clients", product: "Openshift Serverless 1 on RHEL 8", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:1.9.2-3.el8", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:optaplanner:::el6", ], defaultStatus: "unaffected", packageName: "quarkus-vertx-http", product: "Red Hat build of OptaPlanner 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:2.13", ], defaultStatus: "affected", packageName: "io.quarkus/quarkus-keycloak-authorization", product: "Red Hat build of Quarkus 2.13.8.SP2", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "2.13.8.Final-redhat-00005", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:2.13", ], defaultStatus: "affected", packageName: "io.quarkus/quarkus-undertow", product: "Red Hat build of Quarkus 2.13.8.SP2", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "2.13.8.Final-redhat-00005", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:2.13", ], defaultStatus: "affected", packageName: "io.quarkus/quarkus-vertx-http", product: "Red Hat build of Quarkus 2.13.8.SP2", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "2.13.8.Final-redhat-00005", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:camel_quarkus:2.13", ], defaultStatus: "unaffected", packageName: "quarkus-vertx-http", product: "Red Hat Camel Extensions for Quarkus 2.13.3-1", vendor: "Red Hat", }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1/client-kn-rhel8", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.9.2-3", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1/ingress-rhel8-operator", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.30.1-1", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1/knative-rhel8-operator", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.30.1-1", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1/kn-cli-artifacts-rhel8", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.9.2-3", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1/serverless-operator-bundle", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.30.1-1", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1/serverless-rhel8-operator", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.30.1-1", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1/svls-must-gather-rhel8", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.30.1-1", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1-tech-preview/logic-data-index-ephemeral-rhel8", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.30.0-5", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1-tech-preview/logic-swf-builder-rhel8", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.30.0-6", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1-tech-preview/logic-swf-devmode-rhel8", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.30.0-6", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhosemc:1.0::el8", ], defaultStatus: "affected", packageName: "rhpam-7/rhpam-kogito-builder-rhel8", product: "RHEL-8 based Middleware Containers", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "7.13.4-3", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhosemc:1.0::el8", ], defaultStatus: "affected", packageName: "rhpam-7/rhpam-kogito-rhel8-operator", product: "RHEL-8 based Middleware Containers", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "7.13.4-2", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhosemc:1.0::el8", ], defaultStatus: "affected", packageName: "rhpam-7/rhpam-kogito-rhel8-operator-bundle", product: "RHEL-8 based Middleware Containers", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "7.13.4-2", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhosemc:1.0::el8", ], defaultStatus: "affected", packageName: "rhpam-7/rhpam-kogito-runtime-jvm-rhel8", product: "RHEL-8 based Middleware Containers", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "7.13.4-3", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhosemc:1.0::el8", ], defaultStatus: "affected", packageName: "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8", product: "RHEL-8 based Middleware Containers", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "7.13.4-3", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:camel_k:1", ], defaultStatus: "unaffected", packageName: "quarkus-vertx-http", product: "RHINT Camel-K-1.10.2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:service_registry:2.5", ], defaultStatus: "unaffected", packageName: "quarkus-vertx-http", product: "RHINT Service Registry 2.5.4 GA", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", ], defaultStatus: "unaffected", product: "RHPAM 7.13.4 async", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", ], defaultStatus: "affected", packageName: "quarkus-vertx-http", product: "Red Hat Process Automation 7", vendor: "Red Hat", }, ], datePublic: "2023-09-08T00:00:00+00:00", descriptions: [ { lang: "en", value: "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Important", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-148", description: "Improper Neutralization of Input Leaders", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-23T01:02:43.871Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2023:5170", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:5170", }, { name: "RHSA-2023:5310", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:5310", }, { name: "RHSA-2023:5337", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:5337", }, { name: "RHSA-2023:5446", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:5446", }, { name: "RHSA-2023:5479", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:5479", }, { name: "RHSA-2023:5480", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:5480", }, { name: "RHSA-2023:6107", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:6107", }, { name: "RHSA-2023:6112", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:6112", }, { name: "RHSA-2023:7653", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:7653", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-4853", }, { name: "RHSB-2023-002", tags: [ "technical-description", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002", }, { name: "RHBZ#2238034", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2238034", }, ], timeline: [ { lang: "en", time: "2023-09-08T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2023-09-08T00:00:00+00:00", value: "Made public.", }, ], title: "Quarkus: http security policy bypass", workarounds: [ { lang: "en", value: "Use a ‘deny’ wildcard for base paths, then authenticate specifics within that:\n\nExamples:\n```\ndeny: /*\nauthenticated: /services/*\n```\nor\n```\ndeny: /services/*\nroles-allowed: /services/rbac/*\n```\n\nNOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected–shipping the component in question–without being vulnerable (“affected at reduced impact”).\n\nSee https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations.", }, ], x_redhatCweChain: "CWE-148: Improper Neutralization of Input Leaders", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-4853", datePublished: "2023-09-20T09:47:32.150Z", dateReserved: "2023-09-08T16:10:38.379Z", dateUpdated: "2024-11-23T01:02:43.871Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-14900
Vulnerability from cvelistv5
Published
2020-07-06 18:35
Modified
2024-08-05 00:26
Severity ?
EPSS score ?
Summary
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1666499 | x_refsource_MISC | |
| https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://security.netapp.com/advisory/ntap-20220210-0020/ | x_refsource_CONFIRM |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T00:26:39.118Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { name: "[turbine-dev] 20211015 Fulcrum Security Hibernate Module", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220210-0020/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Hibernate", vendor: "n/a", versions: [ { status: "affected", version: "Versions before Hibernate ORM 5.3.18", }, { status: "affected", version: "Versions before Hibernate ORM 5.4.18", }, { status: "affected", version: "Versions before Hibernate ORM 5.5.0.Beta1", }, ], }, ], descriptions: [ { lang: "en", value: "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", }, ], problemTypes: [ { descriptions: [ { description: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-10T09:07:46", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { name: "[turbine-dev] 20211015 Fulcrum Security Hibernate Module", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20220210-0020/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2019-14900", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Hibernate", version: { version_data: [ { version_value: "Versions before Hibernate ORM 5.3.18", }, { version_value: "Versions before Hibernate ORM 5.4.18", }, { version_value: "Versions before Hibernate ORM 5.5.0.Beta1", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { name: "[turbine-dev] 20211015 Fulcrum Security Hibernate Module", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E", }, { name: "https://security.netapp.com/advisory/ntap-20220210-0020/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20220210-0020/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2019-14900", datePublished: "2020-07-06T18:35:01", dateReserved: "2019-08-10T00:00:00", dateUpdated: "2024-08-05T00:26:39.118Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-13692
Vulnerability from cvelistv5
Published
2020-06-04 15:07
Modified
2024-08-04 12:25
Severity ?
EPSS score ?
Summary
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T12:25:16.487Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.13", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20200619-0005/", }, { name: "[camel-commits] 20200723 [GitHub] [camel] mmelko opened a new pull request #4038: Update pgjdbc driver verion, that includes fix for CVE-2020-13692", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r00bcc6b2da972e0d6332a4ebc7807e17305d8b8e7fb2ae63d2a3cbfb%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20200723 [GitHub] [camel] mmelko opened a new pull request #4037: Update pgjdbc driver verion, that includes fix for CVE-2020-13692", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r7f6d019839df17646ffd0046a99146cacf40492a6c92078f65fd32e0%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20200723 [GitHub] [camel] oscerd merged pull request #4038: Update pgjdbc driver version, that includes fix for CVE-2020-13692", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r1aae77706aab7d89b4fe19be468fc3c73e9cc84ff79cc2c3bd07c05a%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20200723 [GitHub] [camel] oscerd merged pull request #4037: Update pgjdbc driver version, that includes fix for CVE-2020-13692", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r0478a1aa9ae0dbd79d8f7b38d0d93fa933ac232e2b430b6f31a103c0%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20200723 [camel] branch master updated: Update pgjdbc driver version, that includes fix for CVE-2020-13692 (#4037)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r01ae1b3d981cf2e563e9b5b0a6ea54fb3cac8e9a0512ee5269e3420e%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20200723 [camel] branch camel-3.4.x updated: Update pgjdbc driver version, that includes fix for CVE-2020-13692 (#4038)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r631f967db6260d6178740a3314a35d9421facd8212e62320275fa78e%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20200723 [GitHub] [camel] oscerd commented on pull request #4038: Update pgjdbc driver version, that includes fix for CVE-2020-13692", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rfe363bf3a46d440ad57fd05c0e313025c7218364bbdc5fd8622ea7ae%40%3Ccommits.camel.apache.org%3E", }, { name: "[netbeans-notifications] 20200731 [GitHub] [netbeans] pepness opened a new pull request #2284: [NETBEANS-4664] - Upgrade JDBC PostgreSQL from 42.2.10 to 42.2.14", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r4bdea189c9991aae7a929d28f575ec46e49ed3d68fa5235825f38a4f%40%3Cnotifications.netbeans.apache.org%3E", }, { name: "[netbeans-notifications] 20200803 [GitHub] [netbeans] neilcsmith-net commented on pull request #2284: [NETBEANS-4664] - Upgrade JDBC PostgreSQL from 42.2.10 to 42.2.14", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb89f92aba44f524d5c270e0c44ca7aec4704691c37fe106cf73ec977%40%3Cnotifications.netbeans.apache.org%3E", }, { name: "FEDORA-2020-5a31ccfe66", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCCAPM6FSNOC272DLSNQ6YHXS3OMHGJC/", }, { name: "DSA-5196", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5196", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-31T19:06:12", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.13", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20200619-0005/", }, { name: "[camel-commits] 20200723 [GitHub] [camel] mmelko opened a new pull request #4038: Update pgjdbc driver verion, that includes fix for CVE-2020-13692", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r00bcc6b2da972e0d6332a4ebc7807e17305d8b8e7fb2ae63d2a3cbfb%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20200723 [GitHub] [camel] mmelko opened a new pull request #4037: Update pgjdbc driver verion, that includes fix for CVE-2020-13692", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r7f6d019839df17646ffd0046a99146cacf40492a6c92078f65fd32e0%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20200723 [GitHub] [camel] oscerd merged pull request #4038: Update pgjdbc driver version, that includes fix for CVE-2020-13692", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r1aae77706aab7d89b4fe19be468fc3c73e9cc84ff79cc2c3bd07c05a%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20200723 [GitHub] [camel] oscerd merged pull request #4037: Update pgjdbc driver version, that includes fix for CVE-2020-13692", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r0478a1aa9ae0dbd79d8f7b38d0d93fa933ac232e2b430b6f31a103c0%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20200723 [camel] branch master updated: Update pgjdbc driver version, that includes fix for CVE-2020-13692 (#4037)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r01ae1b3d981cf2e563e9b5b0a6ea54fb3cac8e9a0512ee5269e3420e%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20200723 [camel] branch camel-3.4.x updated: Update pgjdbc driver version, that includes fix for CVE-2020-13692 (#4038)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r631f967db6260d6178740a3314a35d9421facd8212e62320275fa78e%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20200723 [GitHub] [camel] oscerd commented on pull request #4038: Update pgjdbc driver version, that includes fix for CVE-2020-13692", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rfe363bf3a46d440ad57fd05c0e313025c7218364bbdc5fd8622ea7ae%40%3Ccommits.camel.apache.org%3E", }, { name: "[netbeans-notifications] 20200731 [GitHub] [netbeans] pepness opened a new pull request #2284: [NETBEANS-4664] - Upgrade JDBC PostgreSQL from 42.2.10 to 42.2.14", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r4bdea189c9991aae7a929d28f575ec46e49ed3d68fa5235825f38a4f%40%3Cnotifications.netbeans.apache.org%3E", }, { name: "[netbeans-notifications] 20200803 [GitHub] [netbeans] neilcsmith-net commented on pull request #2284: [NETBEANS-4664] - Upgrade JDBC PostgreSQL from 42.2.10 to 42.2.14", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb89f92aba44f524d5c270e0c44ca7aec4704691c37fe106cf73ec977%40%3Cnotifications.netbeans.apache.org%3E", }, { name: "FEDORA-2020-5a31ccfe66", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCCAPM6FSNOC272DLSNQ6YHXS3OMHGJC/", }, { name: "DSA-5196", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2022/dsa-5196", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2020-13692", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65", refsource: "CONFIRM", url: "https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65", }, { name: "https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.13", refsource: "CONFIRM", url: "https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.13", }, { name: "https://security.netapp.com/advisory/ntap-20200619-0005/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20200619-0005/", }, { name: "[camel-commits] 20200723 [GitHub] [camel] mmelko opened a new pull request #4038: Update pgjdbc driver verion, that includes fix for CVE-2020-13692", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r00bcc6b2da972e0d6332a4ebc7807e17305d8b8e7fb2ae63d2a3cbfb@%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20200723 [GitHub] [camel] mmelko opened a new pull request #4037: Update pgjdbc driver verion, that includes fix for CVE-2020-13692", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r7f6d019839df17646ffd0046a99146cacf40492a6c92078f65fd32e0@%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20200723 [GitHub] [camel] oscerd merged pull request #4038: Update pgjdbc driver version, that includes fix for CVE-2020-13692", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r1aae77706aab7d89b4fe19be468fc3c73e9cc84ff79cc2c3bd07c05a@%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20200723 [GitHub] [camel] oscerd merged pull request #4037: Update pgjdbc driver version, that includes fix for CVE-2020-13692", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r0478a1aa9ae0dbd79d8f7b38d0d93fa933ac232e2b430b6f31a103c0@%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20200723 [camel] branch master updated: Update pgjdbc driver version, that includes fix for CVE-2020-13692 (#4037)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r01ae1b3d981cf2e563e9b5b0a6ea54fb3cac8e9a0512ee5269e3420e@%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20200723 [camel] branch camel-3.4.x updated: Update pgjdbc driver version, that includes fix for CVE-2020-13692 (#4038)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r631f967db6260d6178740a3314a35d9421facd8212e62320275fa78e@%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20200723 [GitHub] [camel] oscerd commented on pull request #4038: Update pgjdbc driver version, that includes fix for CVE-2020-13692", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rfe363bf3a46d440ad57fd05c0e313025c7218364bbdc5fd8622ea7ae@%3Ccommits.camel.apache.org%3E", }, { name: "[netbeans-notifications] 20200731 [GitHub] [netbeans] pepness opened a new pull request #2284: [NETBEANS-4664] - Upgrade JDBC PostgreSQL from 42.2.10 to 42.2.14", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r4bdea189c9991aae7a929d28f575ec46e49ed3d68fa5235825f38a4f@%3Cnotifications.netbeans.apache.org%3E", }, { name: "[netbeans-notifications] 20200803 [GitHub] [netbeans] neilcsmith-net commented on pull request #2284: [NETBEANS-4664] - Upgrade JDBC PostgreSQL from 42.2.10 to 42.2.14", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb89f92aba44f524d5c270e0c44ca7aec4704691c37fe106cf73ec977@%3Cnotifications.netbeans.apache.org%3E", }, { name: "FEDORA-2020-5a31ccfe66", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCCAPM6FSNOC272DLSNQ6YHXS3OMHGJC/", }, { name: "DSA-5196", refsource: "DEBIAN", url: "https://www.debian.org/security/2022/dsa-5196", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2020-13692", datePublished: "2020-06-04T15:07:37", dateReserved: "2020-05-28T00:00:00", dateUpdated: "2024-08-04T12:25:16.487Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-25638
Vulnerability from cvelistv5
Published
2020-12-02 14:36
Modified
2025-04-23 19:47
Severity ?
EPSS score ?
Summary
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1881353 | x_refsource_MISC | |
| https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html | mailing-list, x_refsource_MLIST | |
| https://www.debian.org/security/2021/dsa-4908 | vendor-advisory, x_refsource_DEBIAN | |
| https://www.oracle.com//security-alerts/cpujul2021.html | x_refsource_MISC | |
| https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df%40%3Ccommits.turbine.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | x_refsource_MISC | |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | hibernate-core |
Version: Hibernate ORM versions before 5.4.24.Final |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T15:40:35.438Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1881353", }, { name: "[debian-lts-announce] 20210103 [SECURITY] [DLA 2512-1] libhibernate3-java security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html", }, { name: "DSA-4908", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2021/dsa-4908", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "[turbine-dev] 20211015 Fulcrum Security Hibernate Module", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E", }, { name: "[turbine-commits] 20211018 [turbine-fulcrum-security] 02/02: disable module hibernate (JIRA issue TRB-103), update docs, remove suppression", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df%40%3Ccommits.turbine.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2020-25638", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-04-23T13:32:13.458483Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-04-23T19:47:38.454Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "hibernate-core", vendor: "n/a", versions: [ { status: "affected", version: "Hibernate ORM versions before 5.4.24.Final", }, ], }, ], descriptions: [ { lang: "en", value: "A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-89", description: "CWE-89", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-07-25T16:15:21.000Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1881353", }, { name: "[debian-lts-announce] 20210103 [SECURITY] [DLA 2512-1] libhibernate3-java security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html", }, { name: "DSA-4908", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2021/dsa-4908", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "[turbine-dev] 20211015 Fulcrum Security Hibernate Module", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E", }, { name: "[turbine-commits] 20211018 [turbine-fulcrum-security] 02/02: disable module hibernate (JIRA issue TRB-103), update docs, remove suppression", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df%40%3Ccommits.turbine.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2020-25638", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "hibernate-core", version: { version_data: [ { version_value: "Hibernate ORM versions before 5.4.24.Final", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-89", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1881353", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1881353", }, { name: "[debian-lts-announce] 20210103 [SECURITY] [DLA 2512-1] libhibernate3-java security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html", }, { name: "DSA-4908", refsource: "DEBIAN", url: "https://www.debian.org/security/2021/dsa-4908", }, { name: "https://www.oracle.com//security-alerts/cpujul2021.html", refsource: "MISC", url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "[turbine-dev] 20211015 Fulcrum Security Hibernate Module", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E", }, { name: "[turbine-commits] 20211018 [turbine-fulcrum-security] 02/02: disable module hibernate (JIRA issue TRB-103), update docs, remove suppression", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df@%3Ccommits.turbine.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuapr2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { name: "https://www.oracle.com/security-alerts/cpujul2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2020-25638", datePublished: "2020-12-02T14:36:24.000Z", dateReserved: "2020-09-16T00:00:00.000Z", dateUpdated: "2025-04-23T19:47:38.454Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-29428
Vulnerability from cvelistv5
Published
2021-04-13 17:55
Modified
2024-08-03 22:02
Severity ?
EPSS score ?
Summary
In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the "sticky" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the "sticky" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.gradle.org/7.0/release-notes.html#security-advisories | x_refsource_MISC | |
| https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336 | x_refsource_CONFIRM | |
| https://github.com/gradle/gradle/pull/15654 | x_refsource_MISC | |
| https://github.com/gradle/gradle/pull/15240 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T22:02:51.887Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://docs.gradle.org/7.0/release-notes.html#security-advisories", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/gradle/gradle/pull/15654", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/gradle/gradle/pull/15240", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "gradle", vendor: "gradle", versions: [ { status: "affected", version: "< 7.0", }, ], }, ], descriptions: [ { lang: "en", value: "In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the \"sticky\" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the \"sticky\" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-379", description: "CWE-379 Creation of Temporary File in Directory with Incorrect Permissions", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-378", description: "CWE-378: Creation of Temporary File With Insecure Permissions", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-04-13T17:55:18", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://docs.gradle.org/7.0/release-notes.html#security-advisories", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/gradle/gradle/pull/15654", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/gradle/gradle/pull/15240", }, ], source: { advisory: "GHSA-89qm-pxvm-p336", discovery: "UNKNOWN", }, title: "Local privilege escalation through system temporary directory", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security-advisories@github.com", ID: "CVE-2021-29428", STATE: "PUBLIC", TITLE: "Local privilege escalation through system temporary directory", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "gradle", version: { version_data: [ { version_value: "< 7.0", }, ], }, }, ], }, vendor_name: "gradle", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the \"sticky\" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the \"sticky\" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.", }, ], }, impact: { cvss: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-379 Creation of Temporary File in Directory with Incorrect Permissions", }, ], }, { description: [ { lang: "eng", value: "CWE-378: Creation of Temporary File With Insecure Permissions", }, ], }, ], }, references: { reference_data: [ { name: "https://docs.gradle.org/7.0/release-notes.html#security-advisories", refsource: "MISC", url: "https://docs.gradle.org/7.0/release-notes.html#security-advisories", }, { name: "https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336", refsource: "CONFIRM", url: "https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336", }, { name: "https://github.com/gradle/gradle/pull/15654", refsource: "MISC", url: "https://github.com/gradle/gradle/pull/15654", }, { name: "https://github.com/gradle/gradle/pull/15240", refsource: "MISC", url: "https://github.com/gradle/gradle/pull/15240", }, ], }, source: { advisory: "GHSA-89qm-pxvm-p336", discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2021-29428", datePublished: "2021-04-13T17:55:18", dateReserved: "2021-03-30T00:00:00", dateUpdated: "2024-08-03T22:02:51.887Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2021-02-08 20:15
Modified
2024-11-21 05:47
Severity ?
6.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", matchCriteriaId: "5E687331-EF1E-42A3-8CCD-8F231E48F79C", versionEndExcluding: "4.1.59", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "64839EBF-078E-492A-897C-9AFFB7678ED8", versionEndIncluding: "1.13.7", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*", matchCriteriaId: "0CF9A061-2421-426D-9854-0A4E55B2961D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*", matchCriteriaId: "F95EDC3D-54BB-48F9-82F2-7CCF335FCA78", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*", matchCriteriaId: "B72B735F-4E52-484A-9C2C-23E6E2070385", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*", matchCriteriaId: "8B36A1D4-F391-4EE3-9A65-0A10568795BA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*", matchCriteriaId: "55116032-AAD1-4FEA-9DA8-2C4CBD3D3F61", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*", matchCriteriaId: "0275F820-40BE-47B8-B167-815A55DF578E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*", matchCriteriaId: "9E14324D-B9EE-4C06-ACC7-255189ED6300", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*", matchCriteriaId: "CBEBB60F-6EAB-4AE5-B777-5044C657FBA8", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*", matchCriteriaId: "B185C1EA-71E6-4972-8637-08A33CC00841", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*", matchCriteriaId: "06594847-96ED-4541-B2F4-C7331B603603", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_design_studio:7.4.2:*:*:*:*:*:*:*", matchCriteriaId: "A67AA54B-258D-4D09-9ACB-4085E0B3E585", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*", matchCriteriaId: "E1214FDF-357A-4BB9-BADE-50FB2BD16D10", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*", matchCriteriaId: "D04565AE-D092-4AE0-8FEE-0E8114662A1B", versionEndExcluding: "20.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", matchCriteriaId: "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", matchCriteriaId: "B55E8D50-99B4-47EC-86F9-699B67D473CE", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*", matchCriteriaId: "F0F202E8-97E6-4BBB-A0B6-4CA3F5803C08", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", matchCriteriaId: "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method \"File.createTempFile\" on unix-like systems creates a random file, but, by default will create this file with the permissions \"-rw-r--r--\". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's \"AbstractDiskHttpData\" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own \"java.io.tmpdir\" when you start the JVM or use \"DefaultHttpDataFactory.setBaseDir(...)\" to set the directory to something that is only readable by the current user.", }, { lang: "es", value: "Netty es un framework de aplicación de red de código abierto y asíncrono controlado por eventos para el desarrollo rápido de servidores y clientes de protocolo de alto rendimiento mantenibles. En Netty anterior a la versión 4.1.59.Final, se presenta una vulnerabilidad en sistemas similares a Unix que involucra un archivo temporal no seguro. Cuando se usan los decodificadores multiparte de netty, la divulgación de información local puede ocurrir por medio del directorio temporal del sistema local si el almacenamiento temporal de cargas en el disco está habilitado. En sistemas tipo Unix, el directorio temporal se comparte entre todos los usuarios. Tal y como, escribir en este directorio utilizando las API que no establezcan explícitamente los permisos de archivo/directorio puede conducir a una divulgación de información. Cabe señalar que esto no afecta a los sistemas operativos MacOS modernos. El método \"File.createTempFile\" en sistemas similares a Unix crea un archivo aleatorio, pero, por defecto creará este archivo con los permisos \"-rw-r - r--\". Por lo tanto, si se escribe información confidencial en este archivo, otros usuarios locales pueden leer esta información. Este es el caso en el que \"AbstractDiskHttpData\" de netty es vulnerable. Esto ha sido corregido en la versión 4.1.59.Final. Como solución alternativa, se puede especificar su propio \"java.io.tmpdir\" al iniciar la JVM o utilizar \"DefaultHttpDataFactory.setBaseDir(...)\" para establecer el directorio en algo que solo el usuario actual pueda leer", }, ], id: "CVE-2021-21290", lastModified: "2024-11-21T05:47:56.677", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 1.9, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:L/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 3.4, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.2, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.5, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-02-08T20:15:12.433", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05%40%3Cdev.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5%40%3Cjira.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b%40%3Cjira.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3Cdev.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4%40%3Cdev.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059%40%3Cjira.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b%40%3Cdev.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020%40%3Cdev.tinkerpop.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3Cjira.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29%40%3Cusers.activemq.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214%40%3Ccommits.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3Cjira.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f%40%3Ccommits.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12%40%3Cdev.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013%40%3Cjira.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e%40%3Cjira.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3Cdev.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3Ccommits.pulsar.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb%40%3Cjira.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3Ccommits.pulsar.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18%40%3Cjira.kafka.apache.org%3E", }, { source: "security-advisories@github.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0011/", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2021/dsa-4885", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05%40%3Cdev.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3Cdev.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4%40%3Cdev.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b%40%3Cdev.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020%40%3Cdev.tinkerpop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29%40%3Cusers.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214%40%3Ccommits.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f%40%3Ccommits.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12%40%3Cdev.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3Cdev.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0011/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2021/dsa-4885", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-378", }, { lang: "en", value: "CWE-379", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-668", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-03-30 15:15
Modified
2024-11-21 05:48
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", matchCriteriaId: "BC283248-0EB5-46CA-A68C-4FF004D606F8", versionEndExcluding: "4.1.61", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*", matchCriteriaId: "5EC98B22-FFAA-4B59-8E63-EBAA4336AD13", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*", matchCriteriaId: "0CF9A061-2421-426D-9854-0A4E55B2961D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*", matchCriteriaId: "F95EDC3D-54BB-48F9-82F2-7CCF335FCA78", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*", matchCriteriaId: "B72B735F-4E52-484A-9C2C-23E6E2070385", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*", matchCriteriaId: "8B36A1D4-F391-4EE3-9A65-0A10568795BA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*", matchCriteriaId: "55116032-AAD1-4FEA-9DA8-2C4CBD3D3F61", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*", matchCriteriaId: "0275F820-40BE-47B8-B167-815A55DF578E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.2.0:*:*:*:*:*:*:*", matchCriteriaId: "9E14324D-B9EE-4C06-ACC7-255189ED6300", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.3.0:*:*:*:*:*:*:*", matchCriteriaId: "CBEBB60F-6EAB-4AE5-B777-5044C657FBA8", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_trade_finance_process_management:14.5.0:*:*:*:*:*:*:*", matchCriteriaId: "B185C1EA-71E6-4972-8637-08A33CC00841", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "2FF57C7A-92C9-4D71-A7B1-CC9DEFAA8193", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "5FA64A1D-34F9-4441-857A-25C165E6DBB6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*", matchCriteriaId: "06594847-96ED-4541-B2F4-C7331B603603", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.7.0:*:*:*:*:*:*:*", matchCriteriaId: "BC12B43F-30F6-4B05-AB3A-E91D8404D5A5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*", matchCriteriaId: "4479F76A-4B67-41CC-98C7-C76B81050F8E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_design_studio:7.4.2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "040DA31B-2A0C-46F6-8EDF-9B88F9FB0F48", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*", matchCriteriaId: "E1214FDF-357A-4BB9-BADE-50FB2BD16D10", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:*", matchCriteriaId: "4E7626D2-D9FF-416A-9581-852CED0D8C24", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:*", matchCriteriaId: "99344A5D-F4B7-49B4-9AE6-0E2FB3874EA5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", matchCriteriaId: "BE34D4F7-5C18-4578-8D0A-722FDF931333", versionEndExcluding: "9.2.6.3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*", matchCriteriaId: "7167D144-C4AE-487F-B59A-888E10EA59DF", versionEndExcluding: "21.1.12", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", matchCriteriaId: "8B1C88FD-C2EC-4C96-AC7E-6F95C8763B48", versionEndIncluding: "17.12.11", versionStartIncluding: "17.12.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", matchCriteriaId: "53E2276C-9515-46F6-A621-213A3047B9A6", versionEndIncluding: "18.8.11", versionStartIncluding: "18.8.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", matchCriteriaId: "3EF7E2B4-B741-41E9-8EF6-6C415AB9EF54", versionEndIncluding: "19.12.10", versionStartIncluding: "19.12.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "64839EBF-078E-492A-897C-9AFFB7678ED8", versionEndIncluding: "1.13.7", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.", }, { lang: "es", value: "Netty es un framework de aplicación de red de código abierto y asíncrono event-driven para el desarrollo rápido de servidores y clientes de protocolo de alto rendimiento mantenibles. En Netty (io.netty:netty-codec-http2) versiones anteriores a 4.1.61.Final se presenta una vulnerabilidad que permite el trafico no autorizado de peticiones. El encabezado content-length no es comprobado correctamente si la petición solo usa un único Http2HeaderFrame con endStream establecido en verdadero. Esto podría conllevar al trafico no autorizado de peticiones si la petición se envía a un peer remoto y se traduce a HTTP/1.1. Este es un seguimiento de GHSA-wm47-8v5p-wjpj/CVE-2021-21295 que no pudo solucionar este caso. Esto se corrigió como parte de la versión 4.1.61.Final.", }, ], id: "CVE-2021-21409", lastModified: "2024-11-21T05:48:17.963", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-03-30T15:15:14.573", references: [ { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8%40%3Ccommits.pulsar.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de%40%3Cdev.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed%40%3Ccommits.pulsar.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa%40%3Cjira.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362%40%3Cdev.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575%40%3Cdev.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35%40%3Ccommits.pulsar.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210604-0003/", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2021/dsa-4885", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de%40%3Cdev.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362%40%3Cdev.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575%40%3Cdev.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210604-0003/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2021/dsa-4885", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-444", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-444", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-03-23 20:15
Modified
2024-11-21 06:39
Severity ?
Summary
A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set of privileges than intended.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2062520 | Issue Tracking, Third Party Advisory | |
| secalert@redhat.com | https://github.com/quarkusio/quarkus/issues/23269 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2062520 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/quarkusio/quarkus/issues/23269 | Exploit, Issue Tracking, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "F05F34FF-5EFC-4877-8E43-6FD74F2227FF", versionEndExcluding: "2.7.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set of privileges than intended.", }, { lang: "es", value: "Se ha encontrado un fallo en Quarkus. El estado y los permisos potencialmente asociados pueden filtrarse de una petición web a otra en RestEasy Reactive. Este fallo permite a un usuario con pocos privilegios llevar a cabo operaciones en la base de datos con un conjunto de privilegios diferente al previsto", }, ], id: "CVE-2022-0981", lastModified: "2024-11-21T06:39:47.570", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-03-23T20:15:10.663", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2062520", }, { source: "secalert@redhat.com", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/quarkusio/quarkus/issues/23269", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2062520", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/quarkusio/quarkus/issues/23269", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-863", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-863", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-11-15 14:15
Modified
2024-11-21 08:42
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2023-5720 | Vendor Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2245700 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2023-5720 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2245700 | Issue Tracking, Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "C787DE6A-4365-4B6E-A6A7-A92EB9BFE60A", versionEndExcluding: "3.2.8", versionStartIncluding: "3.0.1", vulnerable: true, }, { criteria: "cpe:2.3:a:quarkus:quarkus:3.0.0:candidate_release1:*:*:*:*:*:*", matchCriteriaId: "8232F2FC-E50E-43FE-9666-3BE3BE9BF40C", vulnerable: true, }, { criteria: "cpe:2.3:a:quarkus:quarkus:3.0.0:candidate_release2:*:*:*:*:*:*", matchCriteriaId: "FCDBF169-8132-4EDE-8F37-70400502676A", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application.", }, { lang: "es", value: "Se encontró una falla en Quarkus, donde no sanitiza adecuadamente los artefactos creados con el complemento Gradle, lo que permite que permanezca cierta información del sistema de compilación. Esta falla permite a un atacante acceder a información potencialmente confidencial desde el sistema de compilación dentro de la aplicación.", }, ], id: "CVE-2023-5720", lastModified: "2024-11-21T08:42:21.153", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 4, source: "secalert@redhat.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-11-15T14:15:07.900", references: [ { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-5720", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2245700", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-5720", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2245700", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-526", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-04-12 22:15
Modified
2024-11-21 06:01
Severity ?
4.0 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://docs.gradle.org/7.0/release-notes.html#security-advisories | Release Notes, Vendor Advisory | |
| security-advisories@github.com | https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8 | Exploit, Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.gradle.org/7.0/release-notes.html#security-advisories | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8 | Exploit, Mitigation, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:gradle:gradle:*:*:*:*:*:*:*:*", matchCriteriaId: "1CBD5FF7-3589-474C-8BA7-0385D3E4BC0F", versionEndExcluding: "7.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "EF712520-1CFD-473A-B3F5-3CDDFE9C2C9A", versionEndIncluding: "2.2.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.", }, { lang: "es", value: "En Gradle versiones anteriores a 7.0, los archivos creados con permisos abiertos en el directorio temporal del sistema pueden permitir a un atacante acceder a la información descargada por Gradle. Algunas compilaciones pueden ser vulnerables a una divulgación de información local. Los archivos remotos a los que se accede por medio de TextResourceFactory son descargados primero en el directorio temporal del sistema. Información confidencial contenida en estos archivos pueden ser expuestas a otros usuarios locales en el mismo sistema. Si no usa la API \"TextResourceFactory\", no es vulnerable. A partir de Gradle versión 7.0, los usos del directorio temporal del sistema han sido movido al directorio Gradle User Home. Por defecto, este directorio está restringido al usuario que ejecuta la compilación. Como solución alternativa, establezca una máscara de usuario más restrictiva que elimine el acceso de lectura a otros usuarios. Cuando se crean archivos en el directorio temporal del sistema, no serán accedidos por otros usuarios. Si no puede cambiar la umask de su sistema, puede mover el directorio temporal de Java al configurar el System Property \"java.io.tmpdir\". La nueva ruta debe limitar los permisos solo al usuario de la compilación", }, ], id: "CVE-2021-29429", lastModified: "2024-11-21T06:01:04.717", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 1.9, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:L/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 3.4, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.5, impactScore: 1.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-04-12T22:15:13.320", references: [ { source: "security-advisories@github.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://docs.gradle.org/7.0/release-notes.html#security-advisories", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Mitigation", "Third Party Advisory", ], url: "https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://docs.gradle.org/7.0/release-notes.html#security-advisories", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mitigation", "Third Party Advisory", ], url: "https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-377", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-12-09 19:15
Modified
2024-11-21 06:29
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Summary
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| netty | netty | * | |
| quarkus | quarkus | * | |
| netapp | oncommand_workflow_automation | - | |
| netapp | snapcenter | - | |
| oracle | banking_deposits_and_lines_of_credit_servicing | 2.7 | |
| oracle | banking_party_management | 2.7.0 | |
| oracle | banking_platform | 2.6.2 | |
| oracle | coherence | 12.2.1.4.0 | |
| oracle | coherence | 14.1.1.0.0 | |
| oracle | communications_cloud_native_core_binding_support_function | 1.11.0 | |
| oracle | communications_cloud_native_core_network_slice_selection_function | 1.8.0 | |
| oracle | communications_cloud_native_core_policy | 1.15.0 | |
| oracle | communications_cloud_native_core_security_edge_protection_proxy | 1.7.0 | |
| oracle | communications_cloud_native_core_unified_data_repository | 1.15.0 | |
| oracle | communications_design_studio | 7.4.2 | |
| oracle | communications_instant_messaging_server | 8.1 | |
| oracle | helidon | 1.4.10 | |
| oracle | helidon | 2.4.0 | |
| oracle | peoplesoft_enterprise_peopletools | 8.58 | |
| oracle | peoplesoft_enterprise_peopletools | 8.59 | |
| debian | debian_linux | 10.0 | |
| debian | debian_linux | 11.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", matchCriteriaId: "F63C0F0C-1D4C-4383-820A-9325DE306780", versionEndExcluding: "4.1.71", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "9050DC4B-0A83-436F-9AE5-6DC28EC7F69D", versionEndExcluding: "2.5.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", matchCriteriaId: "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:banking_deposits_and_lines_of_credit_servicing:2.7:*:*:*:*:*:*:*", matchCriteriaId: "ED63D221-31FA-480F-802F-844334F429F5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*", matchCriteriaId: "C542DC5E-6657-4178-9C69-46FD3C187D56", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*", matchCriteriaId: "132CE62A-FBFC-4001-81EC-35D81F73AF48", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "2FF57C7A-92C9-4D71-A7B1-CC9DEFAA8193", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "5FA64A1D-34F9-4441-857A-25C165E6DBB6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*", matchCriteriaId: "10323322-F6C0-4EA7-9344-736F7A80AA5F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*", matchCriteriaId: "3AA09838-BF13-46AC-BB97-A69F48B73A8A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*", matchCriteriaId: "B4367D9B-BF81-47AD-A840-AC46317C774D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*", matchCriteriaId: "BD4349FE-EEF8-489A-8ABF-5FCD55EC6DE0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*", matchCriteriaId: "C6EAA723-2A23-4151-930B-86ACF9CC1C0C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_design_studio:7.4.2:*:*:*:*:*:*:*", matchCriteriaId: "A67AA54B-258D-4D09-9ACB-4085E0B3E585", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_instant_messaging_server:8.1:*:*:*:*:*:*:*", matchCriteriaId: "47CE14F1-7E98-4C3B-A817-C54273F23464", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:*", matchCriteriaId: "4E7626D2-D9FF-416A-9581-852CED0D8C24", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:*", matchCriteriaId: "99344A5D-F4B7-49B4-9AE6-0E2FB3874EA5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", matchCriteriaId: "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to \"sanitize\" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.", }, { lang: "es", value: "Netty es un marco de trabajo de aplicaciones de red asíncronas impulsadas por eventos para el desarrollo rápido de servidores y clientes de protocolo de alto rendimiento mantenibles. Netty antes de la versión 4.1.71.Final omite los caracteres de control cuando están presentes al principio/fin del nombre de la cabecera. En su lugar, debería fallar rápidamente ya que estos no están permitidos por la especificación y podrían llevar a un contrabando de peticiones HTTP. No hacer la validación podría causar que netty \"sanee\" los nombres de las cabeceras antes de reenviarlas a otro sistema remoto cuando se usa como proxy. Este sistema remoto ya no puede ver el uso inválido, y por lo tanto no hace la validación por sí mismo. Los usuarios deben actualizar a la versión 4.1.71.Final", }, ], id: "CVE-2021-43797", lastModified: "2024-11-21T06:29:48.490", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-12-09T19:15:07.960", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq", }, { source: "security-advisories@github.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220107-0003/", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2023/dsa-5316", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220107-0003/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2023/dsa-5316", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-444", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-444", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-12-09 02:15
Modified
2024-11-21 08:43
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quarkus | quarkus | * | |
| redhat | build_of_quarkus | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "0AA9910B-385F-4727-9B6C-CFD2EB67DD31", versionEndExcluding: "3.6.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*", matchCriteriaId: "CE29B9D6-63DC-4779-ACE8-4E51E6A0AF37", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.", }, { lang: "es", value: "Se encontró un defecto en Quarkus. Este problema ocurre cuando se recibe una solicitud a través de websocket sin ningún permiso basado en roles especificado en la operación GraphQL, Quarkus procesa la solicitud sin autenticación a pesar de que el endpoint está protegido. Esto puede permitir que un atacante acceda a información y funcionalidad fuera de los permisos API normales otorgados.", }, ], id: "CVE-2023-6394", lastModified: "2024-11-21T08:43:46.407", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.2, source: "secalert@redhat.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-12-09T02:15:06.747", references: [ { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2023:7612", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2023:7700", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-6394", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2252197", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2023:7612", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-6394", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2252197", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-862", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-10-20 11:16
Modified
2024-11-21 06:03
Severity ?
Summary
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*", matchCriteriaId: "DAAB7154-4DE8-4806-86D0-C1D33B84417B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*", matchCriteriaId: "3AA09838-BF13-46AC-BB97-A69F48B73A8A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*", matchCriteriaId: "B4367D9B-BF81-47AD-A840-AC46317C774D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*", matchCriteriaId: "BD4349FE-EEF8-489A-8ABF-5FCD55EC6DE0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_connectors:*:*:*:*:*:*:*:*", matchCriteriaId: "4956B3D4-4B4B-4D63-87A0-03416A487A07", versionEndIncluding: "8.0.26", versionStartIncluding: "8.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "6677F86F-5933-460E-B978-23A4C1407CB0", versionEndExcluding: "2.2.4", vulnerable: true, }, { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "18DF6E75-8665-4E73-8E6F-634D8E581831", versionEndExcluding: "2.6.0", versionStartIncluding: "2.3.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).", }, { lang: "es", value: "Una vulnerabilidad en el producto MySQL Connectors de Oracle MySQL (componente: Connector/J). Las versiones compatibles que están afectadas son 8.0.26 y anteriores. Una vulnerabilidad difícil de explotar permite a un atacante muy privilegiado con acceso a la red por medio de múltiples protocolos comprometer a MySQL Connectors. Los ataques con éxito de esta vulnerabilidad pueden resultar en un acceso no autorizado a datos críticos o en el acceso completo a todos los datos accesibles de los Conectores MySQL y en la habilidad no autorizada de causar una suspensión o bloqueo repetible frecuentemente (DOS completa) de MySQL Connectors. CVSS 3.1 Puntuación Base 5.9 (impactos en la Confidencialidad y la Disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H)", }, ], id: "CVE-2021-2471", lastModified: "2024-11-21T06:03:11.010", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "COMPLETE", baseScore: 7.9, confidentialityImpact: "COMPLETE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:S/C:C/I:N/A:C", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 9.2, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H", version: "3.1", }, exploitabilityScore: 0.7, impactScore: 5.2, source: "secalert_us@oracle.com", type: "Secondary", }, ], }, published: "2021-10-20T11:16:17.117", references: [ { source: "secalert_us@oracle.com", tags: [ "Vendor Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "secalert_us@oracle.com", tags: [ "Vendor Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], sourceIdentifier: "secalert_us@oracle.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-09-22 09:15
Modified
2024-11-21 06:16
Severity ?
Summary
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*", matchCriteriaId: "37D255E1-95C1-4A9B-B934-E2F0DB117CF2", versionEndExcluding: "2.6.3", versionStartIncluding: "2.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:kafka:*:*:*:*:*:*:*:*", matchCriteriaId: "E2F46DB5-7FE5-4496-AC7F-CA471BBE3866", versionEndExcluding: "2.7.2", versionStartIncluding: "2.7.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:kafka:2.8.0:-:*:*:*:*:*:*", matchCriteriaId: "AF660B80-E5F4-4253-95F6-91AABDDC8944", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "6677F86F-5933-460E-B978-23A4C1407CB0", versionEndExcluding: "2.2.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:*", matchCriteriaId: "6894D860-000E-439D-8AB7-07E9B2ACC31B", versionEndExcluding: "12.0.0.4.6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "FD66C717-85E0-40E7-A51F-549C8196D557", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*", matchCriteriaId: "B4367D9B-BF81-47AD-A840-AC46317C774D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", matchCriteriaId: "16A8C8B8-1D49-4AE6-9581-8C9D6F2EEBFF", versionEndIncluding: "8.0.9.0", versionStartIncluding: "8.0.6.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", matchCriteriaId: "A5DCBA98-B60C-4D51-960D-2C0833762CC7", versionEndIncluding: "8.1.20", versionStartIncluding: "8.1.0.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*", matchCriteriaId: "147A4225-A2D5-4AA1-96D1-6D95A192B596", versionEndIncluding: "8.0.8.0", versionStartIncluding: "8.0.6.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "A4B3A10E-70A8-4332-8567-06AE2C45D3C6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*", matchCriteriaId: "059F0D4E-B007-4986-AB95-89F11147CB2B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*", matchCriteriaId: "6CAC78AD-86BB-4F06-B8CF-8E1329987F2F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:*:*:*:*:*:*:*", matchCriteriaId: "C64D669C-513E-4C53-8BB8-13EB336CDC3A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2:*:*:*:*:*:*:*", matchCriteriaId: "D4BDDBCD-4038-4BEC-91DB-587C2FBC6369", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:*:*:*:*:*:*:*", matchCriteriaId: "F6394E90-2F2C-4955-9F97-BFED76D4333B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:*:*:*:*:*:*:*", matchCriteriaId: "5B5DC0C1-789B-4126-8C6D-DEDE83AA2D2E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "44563108-AD89-49A0-9FA5-7DE5A5601D2C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*", matchCriteriaId: "FCA5DC3F-E7D8-45E3-8114-2213EC631CDF", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*", matchCriteriaId: "202AD518-2E9B-4062-B063-9858AE1F9CE2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*", matchCriteriaId: "10864586-270E-4ACF-BDCC-ECFCD299305F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*", matchCriteriaId: "38340E3C-C452-4370-86D4-355B6B4E0A06", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*", matchCriteriaId: "E9C55C69-E22E-4B80-9371-5CD821D79FE2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.", }, { lang: "es", value: "Algunos componentes de Apache Kafka usan \"Arrays.equals\" para comprender una contraseña o clave, lo cual es vulnerable a ataques de tiempo que hacen que los ataques de fuerza bruta para dichas credenciales tengan más probabilidades de éxito. Los usuarios deben actualizar a la versión 2.8.1 o superior, o a la 3.0.0 o superior, donde se ha corregido esta vulnerabilidad. Las versiones afectadas son Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1 y 2.8.0", }, ], id: "CVE-2021-38153", lastModified: "2024-11-21T06:16:30.110", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-09-22T09:15:07.847", references: [ { source: "security@apache.org", tags: [ "Vendor Advisory", ], url: "https://kafka.apache.org/cve-list", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E", }, { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://kafka.apache.org/cve-list", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cusers.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cdev.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd9ef217b09fdefaf32a4e1835b59b96629542db57e1f63edb8b006e6%40%3Cusers.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-203", }, ], source: "security@apache.org", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-203", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-03-26 17:15
Modified
2024-11-21 05:46
Severity ?
Summary
A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1935927 | Issue Tracking, Third Party Advisory | |
| secalert@redhat.com | https://www.oracle.com/security-alerts/cpuapr2022.html | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1935927 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.oracle.com/security-alerts/cpuapr2022.html | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | resteasy | * | |
| netapp | oncommand_insight | - | |
| quarkus | quarkus | * | |
| oracle | communications_cloud_native_core_console | 1.9.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:resteasy:*:*:*:*:*:*:*:*", matchCriteriaId: "EDB9A229-3B62-487E-B31D-580445DAFE8D", versionEndIncluding: "4.6.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", matchCriteriaId: "F1BE6C1F-2565-4E97-92AA-16563E5660A5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "5D115261-69F8-4854-B5DE-656858132B62", versionEndExcluding: "1.13.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*", matchCriteriaId: "DAAB7154-4DE8-4806-86D0-C1D33B84417B", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.", }, { lang: "es", value: "Se detectó un fallo en RESTEasy en todas las versiones de RESTEasy hasta 4.6.0.Final. Los nombres de métodos y clases de endpoint son devueltos como parte de la respuesta de excepción cuando RESTEasy no puede convertir uno de los valores de consulta o ruta del URI de petición a el valor del parámetro de método del recurso JAX-RS correspondiente. La mayor amenaza de esta vulnerabilidad es la confidencialidad de los datos.", }, ], id: "CVE-2021-20289", lastModified: "2024-11-21T05:46:17.387", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-03-26T17:15:13.217", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935927", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1935927", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-209", }, ], source: "secalert@redhat.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-209", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2019-12-12 03:15
Modified
2024-11-21 03:20
Severity ?
Summary
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| snakeyaml_project | snakeyaml | * | |
| fedoraproject | fedora | 31 | |
| fedoraproject | fedora | 32 | |
| quarkus | quarkus | * | |
| oracle | peoplesoft_enterprise_pt_peopletools | 8.56 | |
| oracle | peoplesoft_enterprise_pt_peopletools | 8.57 | |
| oracle | peoplesoft_enterprise_pt_peopletools | 8.58 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:*", matchCriteriaId: "B5ACA011-C76B-4D54-8DF1-0DCA569EDAA4", versionEndExcluding: "1.26", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", matchCriteriaId: "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", matchCriteriaId: "36D96259-24BD-44E2-96D9-78CE1D41F956", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "06CD704F-068A-4365-88DD-9ABE77BE8D72", versionEndIncluding: "1.3.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.56:*:*:*:*:*:*:*", matchCriteriaId: "CEB3BE9F-44AC-4EE0-9E66-2B72CF4AF0F5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.57:*:*:*:*:*:*:*", matchCriteriaId: "99BA317E-3C52-4BAF-B61C-803B7208C155", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.58:*:*:*:*:*:*:*", matchCriteriaId: "929638B0-AAD1-4326-9549-2FA8D03AA7ED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.", }, { lang: "es", value: "La función Alias en SnakeYAML antes de la versión 1.26 permite la expansión de entidades durante una operación de carga, un problema relacionado con CVE-2003-1564", }, ], id: "CVE-2017-18640", lastModified: "2024-11-21T03:20:32.813", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-12-12T03:15:10.850", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack", }, { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/377", }, { source: "cve@mitre.org", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r1058e7646988394de6a3fd0857ea9b1ee0de14d7bb28fee5ff782457%40%3Ccommits.atlas.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r154090b871cf96d985b90864442d84eb027c72c94bc3f0a5727ba2d1%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r16ae4e529401b75a1f5aa462b272b31bf2a108236f882f06fddc14bc%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r1703a402f30c8a2ee409f8c6f393e95a63f8c952cc9ee5bf9dd586dc%40%3Ccommits.cassandra.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r182e9cf6f3fb22b9be0cac4ff0685199741d2ab6e9a4e27a3693c224%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r191ceadb1b883357384981848dfa5235cb02a90070c553afbaf9b3d9%40%3Ccommits.cassandra.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r1aab47b48a757c70e40fc0bcb1fcf1a3951afa6a17aee7cd66cf79f8%40%3Ccommon-commits.hadoop.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r1dfac8b6a7097bcb4979402bbb6e2f8c36d0d9001e3018717eb22b7e%40%3Cdev.atlas.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r1ffce2ed3017e9964f03ad2c539d69e49144fc8e9bf772d641612f98%40%3Ccommits.cassandra.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r20350031c60a77b45e0eded33e9b3e9cb0cbfc5e24e1c63bf264df12%40%3Ccommits.cassandra.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r22ac2aa053b7d9c6b75a49db78125c9316499668d0f4a044f3402e2f%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r28c9009a48d52cf448f8b02cd823da0f8601d2dff4d66f387a35f1e0%40%3Cdev.atlas.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r2a5b84fdf59042dc398497e914b5bb1aed77328320b1438144ae1953%40%3Cdev.atlas.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r2b05744c0c2867daa5d1a96832965b7d6220328b0ead06c22a6e7854%40%3Ccommits.pulsar.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r2db207a2431a5e9e95e899858ab1f5eabd9bcc790a6ca7193ae07e94%40%3Cdev.atlas.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r436988d2cfe8a770ae361c82b181c5b2bf48a249bad84d8a55a3b46e%40%3Cdev.phoenix.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r465d2553a31265b042cf5457ef649b71e0722ab89b6ea94a5d59529b%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r4c682fb8cf69dd14162439656a6ebdf42ea6ad0e4edba95907ea3f14%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r4d7f37da1bc2df90a5a0f56eb7629b5ea131bfe11eeeb4b4c193f64a%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r5510f0125ba409fc1cabd098ab8b457741e5fa314cbd0e61e4339422%40%3Cdev.atlas.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r55d807f31e64a080c54455897c20b1667ec792e5915132c7b7750533%40%3Ccommits.cassandra.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r56805265475919252ba7fc10123f15b91097f3009bae86476624ca25%40%3Ccommits.cassandra.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r643ba53f002ae59068f9352fe1d82e1b6f375387ffb776f13efe8fda%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r666f29a7d0e1f98fa1425ca01efcfa86e6e3856e01d300828aa7c6ea%40%3Ccommits.pulsar.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r6c91e52b3cc9f4e64afe0f34f20507143fd1f756d12681a56a9b38da%40%3Ccommits.pulsar.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r6d54c2da792c74cc14b9b7665ea89e144c9e238ed478d37fd56292e6%40%3Cdev.atlas.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r72a3588d62b2de1361dc9648f5d355385735e47f7ba49d089b0e680d%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r7ce3de03facf7e7f3e24fc25d26d555818519dafdb20f29398a3414b%40%3Cdev.phoenix.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r8464b6ec951aace8c807bac9ea526d4f9e3116aa16d38be06f7c6524%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r8b57c57cffa01e418868a3c7535b987635ff1fb5ab534203bfa2d64a%40%3Ccommits.pulsar.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r900e020760c89f082df1c6e0d46320eba721e4e47bb9eb521e68cd95%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/raebd2019b3da8c2f90f31e8b203b45353f78770ca93bfe5376f5532e%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/rb0e033d5ec8233360203431ad96580cf2ec56f47d9a425d894e279c2%40%3Cpr.cassandra.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/rb34d8d3269ad47a1400f5a1a2d8310e13a80b6576ebd7f512144198d%40%3Ccommon-dev.hadoop.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/rb5c33d0069c927fae16084f0605895b98d231d7c48527bcb822ac48c%40%3Ccommits.cassandra.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/rb7b28ac741e32dd5edb2c22485d635275bead7290b056ee56baf8ce0%40%3Cdev.atlas.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/rbaa1f513d903c89a08267c91d86811fa5bcc82e0596b6142c5cea7ea%40%3Ccommits.cassandra.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/rc3211c71f7e0973a1825d1988a3921288c06cd9d793eae97ecd34948%40%3Ccommits.cassandra.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/rcb2a7037366c58bac6aec6ce3df843a11ef97ae4eb049f05f410eaa5%40%3Ccommon-commits.hadoop.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/rcb4b61dbe2ed1c7a88781a9aff5a9e7342cc7ed026aec0418ee67596%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/rce5c93bba6e815fb62ad38e28ca1943b3019af1eddeb06507ad4e11a%40%3Ccommits.atlas.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/rd582c64f66c354240290072f340505f5d026ca944ec417226bb0272e%40%3Ccommits.cassandra.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/rdd34c0479587e32a656d976649409487d51ca0d296b3e26b6b89c3f5%40%3Ccommon-commits.hadoop.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/re791a854001ec1f79cd4f47328b270e7a1d9d7056debb8f16d962722%40%3Cdev.atlas.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/re851bbfbedd47c690b6e01942acb98ee08bd00df1a94910b905bc8cd%40%3Cdev.atlas.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/reb1751562ee5146d3aca654a2df76a2c13d8036645ce69946f9c219e%40%3Ccommits.cassandra.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/recfe569f4f260328b0036f1c82b2956e864d519ab941a5e75d0d832d%40%3Ccommits.cassandra.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/rf95bebee6dfcc55067cebe8482bd31e6f481d9f74ba8e03f860c3ec7%40%3Ccommits.cassandra.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/rfe0aab6c3bebbd9cbfdedb65ff3fdf420714bcb8acdfd346077e1263%40%3Ccommon-commits.hadoop.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKN7VGIKTYBCAKYBRG55QHXAY5UDZ7HA/", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTVJC54XGX26UJVVYCXZ7D25X3R5T2G6/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.25/usages", }, { source: "cve@mitre.org", url: "https://security.gentoo.org/glsa/202305-28", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/377", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Third Party Advisory", ], url: "https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r1058e7646988394de6a3fd0857ea9b1ee0de14d7bb28fee5ff782457%40%3Ccommits.atlas.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r154090b871cf96d985b90864442d84eb027c72c94bc3f0a5727ba2d1%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r16ae4e529401b75a1f5aa462b272b31bf2a108236f882f06fddc14bc%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r1703a402f30c8a2ee409f8c6f393e95a63f8c952cc9ee5bf9dd586dc%40%3Ccommits.cassandra.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r182e9cf6f3fb22b9be0cac4ff0685199741d2ab6e9a4e27a3693c224%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r191ceadb1b883357384981848dfa5235cb02a90070c553afbaf9b3d9%40%3Ccommits.cassandra.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r1aab47b48a757c70e40fc0bcb1fcf1a3951afa6a17aee7cd66cf79f8%40%3Ccommon-commits.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r1dfac8b6a7097bcb4979402bbb6e2f8c36d0d9001e3018717eb22b7e%40%3Cdev.atlas.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r1ffce2ed3017e9964f03ad2c539d69e49144fc8e9bf772d641612f98%40%3Ccommits.cassandra.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r20350031c60a77b45e0eded33e9b3e9cb0cbfc5e24e1c63bf264df12%40%3Ccommits.cassandra.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r22ac2aa053b7d9c6b75a49db78125c9316499668d0f4a044f3402e2f%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r28c9009a48d52cf448f8b02cd823da0f8601d2dff4d66f387a35f1e0%40%3Cdev.atlas.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2a5b84fdf59042dc398497e914b5bb1aed77328320b1438144ae1953%40%3Cdev.atlas.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2b05744c0c2867daa5d1a96832965b7d6220328b0ead06c22a6e7854%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2db207a2431a5e9e95e899858ab1f5eabd9bcc790a6ca7193ae07e94%40%3Cdev.atlas.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r436988d2cfe8a770ae361c82b181c5b2bf48a249bad84d8a55a3b46e%40%3Cdev.phoenix.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r465d2553a31265b042cf5457ef649b71e0722ab89b6ea94a5d59529b%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r4c682fb8cf69dd14162439656a6ebdf42ea6ad0e4edba95907ea3f14%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r4d7f37da1bc2df90a5a0f56eb7629b5ea131bfe11eeeb4b4c193f64a%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5510f0125ba409fc1cabd098ab8b457741e5fa314cbd0e61e4339422%40%3Cdev.atlas.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r55d807f31e64a080c54455897c20b1667ec792e5915132c7b7750533%40%3Ccommits.cassandra.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r56805265475919252ba7fc10123f15b91097f3009bae86476624ca25%40%3Ccommits.cassandra.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r643ba53f002ae59068f9352fe1d82e1b6f375387ffb776f13efe8fda%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r666f29a7d0e1f98fa1425ca01efcfa86e6e3856e01d300828aa7c6ea%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r6c91e52b3cc9f4e64afe0f34f20507143fd1f756d12681a56a9b38da%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r6d54c2da792c74cc14b9b7665ea89e144c9e238ed478d37fd56292e6%40%3Cdev.atlas.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r72a3588d62b2de1361dc9648f5d355385735e47f7ba49d089b0e680d%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r7ce3de03facf7e7f3e24fc25d26d555818519dafdb20f29398a3414b%40%3Cdev.phoenix.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r8464b6ec951aace8c807bac9ea526d4f9e3116aa16d38be06f7c6524%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r8b57c57cffa01e418868a3c7535b987635ff1fb5ab534203bfa2d64a%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r900e020760c89f082df1c6e0d46320eba721e4e47bb9eb521e68cd95%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/raebd2019b3da8c2f90f31e8b203b45353f78770ca93bfe5376f5532e%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb0e033d5ec8233360203431ad96580cf2ec56f47d9a425d894e279c2%40%3Cpr.cassandra.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb34d8d3269ad47a1400f5a1a2d8310e13a80b6576ebd7f512144198d%40%3Ccommon-dev.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb5c33d0069c927fae16084f0605895b98d231d7c48527bcb822ac48c%40%3Ccommits.cassandra.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb7b28ac741e32dd5edb2c22485d635275bead7290b056ee56baf8ce0%40%3Cdev.atlas.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rbaa1f513d903c89a08267c91d86811fa5bcc82e0596b6142c5cea7ea%40%3Ccommits.cassandra.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc3211c71f7e0973a1825d1988a3921288c06cd9d793eae97ecd34948%40%3Ccommits.cassandra.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rcb2a7037366c58bac6aec6ce3df843a11ef97ae4eb049f05f410eaa5%40%3Ccommon-commits.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rcb4b61dbe2ed1c7a88781a9aff5a9e7342cc7ed026aec0418ee67596%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rce5c93bba6e815fb62ad38e28ca1943b3019af1eddeb06507ad4e11a%40%3Ccommits.atlas.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd582c64f66c354240290072f340505f5d026ca944ec417226bb0272e%40%3Ccommits.cassandra.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rdd34c0479587e32a656d976649409487d51ca0d296b3e26b6b89c3f5%40%3Ccommon-commits.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/re791a854001ec1f79cd4f47328b270e7a1d9d7056debb8f16d962722%40%3Cdev.atlas.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/re851bbfbedd47c690b6e01942acb98ee08bd00df1a94910b905bc8cd%40%3Cdev.atlas.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/reb1751562ee5146d3aca654a2df76a2c13d8036645ce69946f9c219e%40%3Ccommits.cassandra.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/recfe569f4f260328b0036f1c82b2956e864d519ab941a5e75d0d832d%40%3Ccommits.cassandra.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf95bebee6dfcc55067cebe8482bd31e6f481d9f74ba8e03f860c3ec7%40%3Ccommits.cassandra.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rfe0aab6c3bebbd9cbfdedb65ff3fdf420714bcb8acdfd346077e1263%40%3Ccommon-commits.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKN7VGIKTYBCAKYBRG55QHXAY5UDZ7HA/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTVJC54XGX26UJVVYCXZ7D25X3R5T2G6/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.25/usages", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.gentoo.org/glsa/202305-28", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-776", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-02-25 17:15
Modified
2024-11-21 05:46
Severity ?
6.4 (Medium) - CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@mongodb.com | https://jira.mongodb.org/browse/JAVA-4017 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.mongodb.org/browse/JAVA-4017 | Issue Tracking, Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mongodb | java_driver | * | |
| mongodb | java_driver | * | |
| mongodb | java_driver | * | |
| mongodb | java_driver | * | |
| mongodb | java_driver | * | |
| quarkus | quarkus | * | |
| quarkus | quarkus | 1.13.3 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mongodb:java_driver:*:*:*:*:*:mongodb:*:*", matchCriteriaId: "A7269E59-8D72-4459-92D0-C7B725ED290A", versionEndExcluding: "3.11.3", versionStartIncluding: "3.11.0", vulnerable: true, }, { criteria: "cpe:2.3:a:mongodb:java_driver:*:*:*:*:*:mongodb:*:*", matchCriteriaId: "564EEC7B-9969-45F8-A358-8034DCEDCE5E", versionEndExcluding: "3.12.8", versionStartIncluding: "3.12.0", vulnerable: true, }, { criteria: "cpe:2.3:a:mongodb:java_driver:*:*:*:*:*:mongodb:*:*", matchCriteriaId: "97F149A2-F169-40CB-974D-91C6AB2D49DD", versionEndExcluding: "4.0.6", versionStartIncluding: "4.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:mongodb:java_driver:*:*:*:*:*:mongodb:*:*", matchCriteriaId: "B7E4EF7D-C0F9-4B91-B7FE-5295F91AA108", versionEndExcluding: "4.1.2", versionStartIncluding: "4.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:mongodb:java_driver:*:*:*:*:*:mongodb:*:*", matchCriteriaId: "482332D0-4581-459D-A187-063F5BDEA2FF", versionEndExcluding: "4.2.1", versionStartIncluding: "4.2.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "DA5D8178-3D1D-4AFE-80A3-7B68BF24E420", versionEndExcluding: "1.13.3", vulnerable: true, }, { criteria: "cpe:2.3:a:quarkus:quarkus:1.13.3:*:*:*:*:*:*:*", matchCriteriaId: "9EEC47CA-B2E0-437D-B8BF-C0DA5713BFB1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.", }, { lang: "es", value: "Las versiones específicas del controlador de Java que soportan el client-side field level encryption (CSFLE) presentan un fallo al realizar una comprobación correcta del nombre del host en el certificado del servidor KMS. Esta vulnerabilidad, en combinación con un ataque MITM activo en una posición de red privilegiada, podría resultar en una interceptación del tráfico entre el controlador de Java y el servicio KMS, haciendo que el cifrado a nivel de campo sea ineficaz. Este problema se detectó durante las pruebas internas y afecta a todas las versiones del controlador de Java que soportan CSFLE. Los controladores Java async, Scala y flujos reactivos no están afectados. Esta vulnerabilidad no afecta a las cargas de tráfico del controlador con servicios clave compatibles con CSFLE que se originan en aplicaciones que residen dentro de los tejidos de red de AWS, GCP y Azure debido a los controles de compensación en estos entornos. Este problema no afecta a las cargas de trabajo de los controladores que no usan Field Level Encryption", }, ], id: "CVE-2021-20328", lastModified: "2024-11-21T05:46:23.270", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "ADJACENT_NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:A/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 5.5, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 6.4, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 5.2, source: "cna@mongodb.com", type: "Secondary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-02-25T17:15:28.303", references: [ { source: "cna@mongodb.com", tags: [ "Issue Tracking", "Patch", "Vendor Advisory", ], url: "https://jira.mongodb.org/browse/JAVA-4017", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Vendor Advisory", ], url: "https://jira.mongodb.org/browse/JAVA-4017", }, ], sourceIdentifier: "cna@mongodb.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-295", }, ], source: "cna@mongodb.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-295", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-08-18 15:15
Modified
2024-11-21 06:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:jsoup:jsoup:*:*:*:*:*:*:*:*", matchCriteriaId: "CB2FF61F-FB78-426C-9FD0-72A1AB17A92D", versionEndExcluding: "1.14.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "EF712520-1CFD-473A-B3F5-3CDDFE9C2C9A", versionEndIncluding: "2.2.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:banking_trade_finance:14.5:*:*:*:*:*:*:*", matchCriteriaId: "64750C01-21AC-4947-B674-6690EAAAC5DB", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_treasury_management:14.5:*:*:*:*:*:*:*", matchCriteriaId: "3C3D0063-9458-4018-9B92-79A219716C10", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "E869C417-C0E6-4FC3-B406-45598A1D1906", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "DFEFE2C0-7B98-44F9-B3AD-D6EC607E90DA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:flexcube_universal_banking:*:*:*:*:*:*:*:*", matchCriteriaId: "54BE0CCE-8216-4CCF-96E1-38EF76124368", versionEndIncluding: "14.3.0", versionStartIncluding: "14.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:flexcube_universal_banking:14.5:*:*:*:*:*:*:*", matchCriteriaId: "609645BF-B34F-40AC-B9C9-C3FB870F4ED2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:hospitality_token_proxy_service:19.2:*:*:*:*:*:*:*", matchCriteriaId: "E7D45E2D-241B-4839-B255-A81107BF94BF", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", matchCriteriaId: "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*", matchCriteriaId: "38340E3C-C452-4370-86D4-355B6B4E0A06", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*", matchCriteriaId: "E9C55C69-E22E-4B80-9371-5CD821D79FE2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:*", matchCriteriaId: "E0B772D5-F0BB-4CD4-99D1-B84562D01586", versionEndIncluding: "19.0", versionStartIncluding: "17.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "D6A4F71A-4269-40FC-8F61-1D1301F2B728", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "5A502118-5B2B-47AE-82EC-1999BD841103", vulnerable: true, }, { criteria: "cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*", matchCriteriaId: "7569C0BD-16C1-441E-BAEB-840C94BE73EF", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*", matchCriteriaId: "FDAC85F0-93AF-4BE3-AE1A-8ADAF1CDF9AB", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*", matchCriteriaId: "55F091C7-0869-4FD6-AC73-DA697D990304", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*", matchCriteriaId: "4D134C60-F9E2-46C2-8466-DB90AD98439E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "BCCFDDAC-CF84-4259-BA65-98DC5482A0A3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "9AB179A8-DFB7-4DCF-8DE3-096F376989F1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:stream_analytics:*:*:*:*:*:*:*:*", matchCriteriaId: "847E8F6A-6115-4CCB-B16B-5DA8427958C4", versionEndExcluding: "19.1.0.0.6.4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:stream_analytics:19c:*:*:*:*:*:*:*", matchCriteriaId: "8E7B7A7D-BA3D-4ADA-B87C-F222B0722AF2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.", }, { lang: "es", value: "jsoup es una biblioteca Java para trabajar con HTML. Aquellos usando versiones de jsoup anteriores a 1.14.2 para analizar HTML o XML no confiables pueden ser vulnerables a ataques DOS. Si el analizador es ejecutado con una entrada suministrada por el usuario, un atacante puede suministrar contenido que cause que el analizador se atasque (un bucle indefinido hasta que se cancele), para completarse más lentamente de lo habitual o que lance una excepción inesperada. Este efecto puede permitir un ataque de denegación de servicio. El problema está parcheado en versión 1.14.2. Se presentan algunas soluciones disponibles. Los usuarios pueden limitar el análisis de las entradas, limitar el tamaño de las entradas en función de los recursos del sistema, y/o implementar controles de hilos para limitar el tiempo de ejecución del análisis.", }, ], id: "CVE-2021-37714", lastModified: "2024-11-21T06:15:46.567", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-08-18T15:15:08.023", references: [ { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c", }, { source: "security-advisories@github.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://jsoup.org/news/release-1.14.1", }, { source: "security-advisories@github.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://jsoup.org/news/release-1.14.2", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0%40%3Cissues.maven.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e%40%3Cissues.maven.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7%40%3Cissues.maven.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e%40%3Cissues.maven.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b%40%3Cnotifications.james.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe%40%3Cnotifications.james.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa%40%3Cnotifications.james.apache.org%3E", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0022/", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://jsoup.org/news/release-1.14.1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://jsoup.org/news/release-1.14.2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0%40%3Cissues.maven.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e%40%3Cissues.maven.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7%40%3Cissues.maven.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e%40%3Cissues.maven.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b%40%3Cnotifications.james.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe%40%3Cnotifications.james.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa%40%3Cnotifications.james.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0022/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-248", }, { lang: "en", value: "CWE-835", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-835", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-04-23 15:15
Modified
2024-11-21 05:56
Severity ?
Summary
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:maven:*:*:*:*:*:*:*:*", matchCriteriaId: "BA089EB2-CBE2-48E0-AC10-5CA3281E41D8", versionEndExcluding: "3.8.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "CDD95A74-029A-48FD-9C34-5ADB1FAB373A", versionEndExcluding: "1.13.5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", matchCriteriaId: "C284573B-3900-4ABB-ABF9-611F31C1778F", versionEndIncluding: "8.0.9.0.0", versionStartIncluding: "8.0.6.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", matchCriteriaId: "66BC5B9C-9CE0-41D5-A3B2-AE8481697F67", versionEndIncluding: "8.1.2.0", versionStartIncluding: "8.1.0.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:goldengate_big_data_and_application_adapters:23.1:*:*:*:*:*:*:*", matchCriteriaId: "A01108AF-6B34-46A7-8C20-D83EF131425E", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html", }, { lang: "es", value: "Apache Maven seguirá los repositorios que se definen en el Project Object Model (pom) de una dependencia, lo que puede resultar sorprendente para algunos usuarios, resultando en un riesgo potencial si un actor malicioso se hace cargo de ese repositorio o es capaz de insertarse en una posición para fingir ser ese repositorio. Maven está cambiando el comportamiento predeterminado en versiones 3.8.1+ para que ya no siga las referencias del repositorio http (sin SSL) por defecto. Más detalles disponibles en las URL a las que se hace referencia. Si actualmente está utilizando un administrador de repositorios para controlar los repositorios usados por sus compilaciones, no está afectado por los riesgos presentes en el comportamiento heredado y no está afectado por esta vulnerabilidad y cambia al comportamiento predeterminado. Consulte este enlace para mayor información sobre la administración de repositorios: https://maven.apache.org/repository-management.html", }, ], id: "CVE-2021-26291", lastModified: "2024-11-21T05:56:01.890", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 6.4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-04-23T15:15:09.387", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2021/04/23/5", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee9bac7854d64736%40%3Cannounce.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac6f06d16d139e5e1027c%40%3Cdev.maven.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r07a89b32783f73bda6903c1f9aadeb859e5bef0a4daed6d87db8e4a9%40%3Cissues.karaf.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r08a401f8c98a99f68d061fde6e6659d695f28d60fe4f0413bcb355b0%40%3Ccommits.druid.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r0a5e4ff2a7ca7ad8595d7683afbaeb3b8788ba974681907f97e7dc8e%40%3Cjira.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r0d083314aa3934dd4b6e6970d1f6ee50f6eaa9d867deb2cd96788478%40%3Cjira.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe%40%3Cissues.karaf.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013%40%3Cissues.karaf.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b%40%3Cissues.karaf.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r30e9fcba679d164158cc26236704c351954909c18cb2485d11038aa6%40%3Cdev.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r340e75c9bb6e8661b89e1cf2c52f4638a18312e57bd884722bc28f52%40%3Cjira.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r39fa6ec4b7e912d3e04ea68efd23e554ec9c8efa2c96f5b45104fc61%40%3Cjira.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a75c8aa2493ea82732381%40%3Cdev.jena.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc%40%3Cissues.karaf.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r52c6cda14dc6315dc79e72d30109f4589e9c6300ef6dc1a019da32d4%40%3Cissues.karaf.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r53cd5de57aaa126038c5301d8f518f3defab3c5b1c7e17c97bad08d8%40%3Cissues.karaf.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r5ae6aaa8a2ce86145225c3516bb45d315c0454e3765d651527e5df8a%40%3Ccommits.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r71bc13669be84c2ff45b74a67929bc2da905c152e12a39b406e3c2a0%40%3Cissues.karaf.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b211ab92da9591f5%40%3Cdev.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r74329c671df713f61ae4620ee2452a0443ccad7f33c60e8ed7d21ff9%40%3Cissues.karaf.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94%40%3Cissues.karaf.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r78fb6d2cf0ca332cfa43abd4471e75fa6c517ed9cdfcb950bff48d40%40%3Cjira.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r86aebd0387ae19b740b3eb28bad83fe6aceca0d6257eaa810a6e0002%40%3Ccommits.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r86e1c81e03f441855f127980e9b3d41939d04a7caea2b7ab718e2288%40%3Cjira.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r96cc126d3ee9aa42af9d3bb4baa94828b0a5f656584a50dcc594125f%40%3Cissues.karaf.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/ra88a0eba7f84658cefcecc0143fd8bbad52c229ee5dfcbfdde7b6457%40%3Cdev.jena.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/ra9d984eccfd2ae7726671e025f0296bf03786e5cdf872138110ac29b%40%3Ccommits.druid.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rc7ae2530063d1cd1cf8e9fa130d10940760f927168d4063d23b8cd0a%40%3Ccommits.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c%40%3Cissues.karaf.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21%40%3Cissues.karaf.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rcd6c3a36f1dbc130da1b89d0f320db7040de71661a512695a8d513ac%40%3Cdev.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31%40%3Cissues.karaf.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/re75f8b3dbc5faa1640908f87e644d373e00f8b4e6ba3e2ba4bd2c80b%40%3Ccommits.druid.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/red3bf6cbfd99e36b0c0a4fa1cea1eef1eb300c6bd8f372f497341265%40%3Cdev.kafka.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402%40%3Cissues.karaf.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2%40%3Cissues.karaf.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E", }, { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "security@apache.org", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "security@apache.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-cve-2021-26291/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2021/04/23/5", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee9bac7854d64736%40%3Cannounce.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac6f06d16d139e5e1027c%40%3Cdev.maven.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r07a89b32783f73bda6903c1f9aadeb859e5bef0a4daed6d87db8e4a9%40%3Cissues.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r08a401f8c98a99f68d061fde6e6659d695f28d60fe4f0413bcb355b0%40%3Ccommits.druid.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r0a5e4ff2a7ca7ad8595d7683afbaeb3b8788ba974681907f97e7dc8e%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r0d083314aa3934dd4b6e6970d1f6ee50f6eaa9d867deb2cd96788478%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe%40%3Cissues.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013%40%3Cissues.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b%40%3Cissues.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r30e9fcba679d164158cc26236704c351954909c18cb2485d11038aa6%40%3Cdev.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r340e75c9bb6e8661b89e1cf2c52f4638a18312e57bd884722bc28f52%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r39fa6ec4b7e912d3e04ea68efd23e554ec9c8efa2c96f5b45104fc61%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a75c8aa2493ea82732381%40%3Cdev.jena.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc%40%3Cissues.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r52c6cda14dc6315dc79e72d30109f4589e9c6300ef6dc1a019da32d4%40%3Cissues.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r53cd5de57aaa126038c5301d8f518f3defab3c5b1c7e17c97bad08d8%40%3Cissues.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5ae6aaa8a2ce86145225c3516bb45d315c0454e3765d651527e5df8a%40%3Ccommits.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r71bc13669be84c2ff45b74a67929bc2da905c152e12a39b406e3c2a0%40%3Cissues.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b211ab92da9591f5%40%3Cdev.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r74329c671df713f61ae4620ee2452a0443ccad7f33c60e8ed7d21ff9%40%3Cissues.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94%40%3Cissues.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r78fb6d2cf0ca332cfa43abd4471e75fa6c517ed9cdfcb950bff48d40%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r86aebd0387ae19b740b3eb28bad83fe6aceca0d6257eaa810a6e0002%40%3Ccommits.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r86e1c81e03f441855f127980e9b3d41939d04a7caea2b7ab718e2288%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r96cc126d3ee9aa42af9d3bb4baa94828b0a5f656584a50dcc594125f%40%3Cissues.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra88a0eba7f84658cefcecc0143fd8bbad52c229ee5dfcbfdde7b6457%40%3Cdev.jena.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra9d984eccfd2ae7726671e025f0296bf03786e5cdf872138110ac29b%40%3Ccommits.druid.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc7ae2530063d1cd1cf8e9fa130d10940760f927168d4063d23b8cd0a%40%3Ccommits.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c%40%3Cissues.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21%40%3Cissues.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rcd6c3a36f1dbc130da1b89d0f320db7040de71661a512695a8d513ac%40%3Cdev.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31%40%3Cissues.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/re75f8b3dbc5faa1640908f87e644d373e00f8b4e6ba3e2ba4bd2c80b%40%3Ccommits.druid.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/red3bf6cbfd99e36b0c0a4fa1cea1eef1eb300c6bd8f372f497341265%40%3Cdev.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402%40%3Cissues.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2%40%3Cissues.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-cve-2021-26291/", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-346", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-02-24 18:15
Modified
2025-03-12 16:15
Severity ?
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://github.com/quarkusio/quarkus/pull/30694 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/quarkusio/quarkus/pull/30694 | Patch, Vendor Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "5FDFC706-B7B5-458B-833E-195D65F2E8EC", versionEndExcluding: "2.16.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile() is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user.", }, { lang: "es", value: "En la implementación RestEasy Reactive de Quarkus, el inseguro File.createTempFile() se usa en la clase FileBodyHandler que crea archivos temporales con permisos inseguros que un usuario local podría leer.", }, ], id: "CVE-2023-0481", lastModified: "2025-03-12T16:15:18.873", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 3.3, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 3.3, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 1.4, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2023-02-24T18:15:14.140", references: [ { source: "secalert@redhat.com", tags: [ "Patch", "Vendor Advisory", ], url: "https://github.com/quarkusio/quarkus/pull/30694", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "https://github.com/quarkusio/quarkus/pull/30694", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-378", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-668", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-02-02 12:15
Modified
2024-11-21 06:45
Severity ?
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| postgresql | postgresql_jdbc_driver | * | |
| postgresql | postgresql_jdbc_driver | * | |
| postgresql | postgresql_jdbc_driver | 42.3.2 | |
| fedoraproject | fedora | 35 | |
| quarkus | quarkus | * | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 | |
| debian | debian_linux | 11.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:*", matchCriteriaId: "D75A4F23-C692-462A-946A-19E133F1D7C4", versionEndExcluding: "42.2.25", vulnerable: true, }, { criteria: "cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:*", matchCriteriaId: "3025B405-4BEA-4581-9DA8-681EFF0E1065", versionEndExcluding: "42.3.2", versionStartIncluding: "42.3.0", vulnerable: true, }, { criteria: "cpe:2.3:a:postgresql:postgresql_jdbc_driver:42.3.2:rc1:*:*:*:*:*:*", matchCriteriaId: "72E9D16A-A9C9-4AC5-9897-DC1E96E02DEA", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", matchCriteriaId: "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "08E07859-C2B3-49AA-8C8E-122F41607834", versionEndExcluding: "2.7.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.", }, { lang: "es", value: "pgjdbc es el controlador JDBC oficial de PostgreSQL. Se encontró un agujero de seguridad en el controlador jdbc para la base de datos postgresql mientras se hacía una investigación de seguridad. El sistema que utiliza la librería postgresql será atacado cuando un atacante controle la url o las propiedades del jdbc. pgjdbc instala instancias de plugins basados en los nombres de clase proporcionados a través de las propiedades de conexión `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback`. Sin embargo, el controlador no verifica si la clase implementa la interfaz esperada antes de instanciar la clase. Esto puede llevar a la ejecución de código cargado a través de clases arbitrarias. Se aconseja a los usuarios que utilicen plugins que se actualicen. No hay soluciones conocidas para este problema", }, ], id: "CVE-2022-21724", lastModified: "2024-11-21T06:45:18.737", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1, impactScore: 5.9, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-02-02T12:15:08.390", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4", }, { source: "security-advisories@github.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html", }, { source: "security-advisories@github.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220311-0005/", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5196", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220311-0005/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5196", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-665", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-12-02 17:15
Modified
2024-11-21 05:02
Severity ?
Summary
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:httpclient:*:*:*:*:*:*:*:*", matchCriteriaId: "DC854C9B-84E8-4AAD-91B0-96A9DA0B1FC5", versionEndExcluding: "4.5.13", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:httpclient:*:*:*:*:*:*:*:*", matchCriteriaId: "EA4A0CBA-0BAF-4322-83C5-211ED7254B59", versionEndExcluding: "5.0.3", versionStartIncluding: "5.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "FA1B998C-28F3-4F9D-8173-6591981AE52A", versionEndExcluding: "1.7.6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "9901F6BA-78D5-45B8-9409-07FF1C6DDD38", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "9FADE563-5AAA-42FF-B43F-35B20A2386C9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*", matchCriteriaId: "289C3121-D30F-45C0-BD0E-F98C61269D74", versionEndExcluding: "9.2.6.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", matchCriteriaId: "86305E47-33E9-411C-B932-08C395C09982", versionEndExcluding: "9.2.6.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*", matchCriteriaId: "D04565AE-D092-4AE0-8FEE-0E8114662A1B", versionEndExcluding: "20.3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", matchCriteriaId: "7E1E416B-920B-49A0-9523-382898C2979D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.57:*:*:*:*:*:*:*", matchCriteriaId: "99BA317E-3C52-4BAF-B61C-803B7208C155", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.58:*:*:*:*:*:*:*", matchCriteriaId: "929638B0-AAD1-4326-9549-2FA8D03AA7ED", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.59:*:*:*:*:*:*:*", matchCriteriaId: "AAA409CE-EAAE-4B20-ADAB-22E0A8F6063C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*", matchCriteriaId: "08FA59A8-6A62-4B33-8952-D6E658F8DAC9", versionEndIncluding: "17.12", versionStartIncluding: "17.7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*", matchCriteriaId: "D55A54FD-7DD1-49CD-BE81-0BE73990943C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*", matchCriteriaId: "82EB08C0-2D46-4635-88DF-E54F6452D3A3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*", matchCriteriaId: "202AD518-2E9B-4062-B063-9858AE1F9CE2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*", matchCriteriaId: "10864586-270E-4ACF-BDCC-ECFCD299305F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*", matchCriteriaId: "38340E3C-C452-4370-86D4-355B6B4E0A06", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:*", matchCriteriaId: "B92BB355-DB00-438E-84E5-8EC007009576", versionEndIncluding: "19.0", versionStartIncluding: "16.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:spatial_studio:*:*:*:*:*:*:*:*", matchCriteriaId: "84C6CD9A-D0BA-4B37-9FEA-6EE91C83BF75", versionEndExcluding: "20.1.1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:sql_developer:*:*:*:*:*:*:*:*", matchCriteriaId: "13209603-DBC5-4B1F-A4FB-04E3C722AB18", versionEndExcluding: "20.4.1.407.0006", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", matchCriteriaId: "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", matchCriteriaId: "B55E8D50-99B4-47EC-86F9-699B67D473CE", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", matchCriteriaId: "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*", matchCriteriaId: "2A3622F5-5976-4BBC-A147-FC8A6431EA79", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:*:*:*:*:*:*:*", matchCriteriaId: "0AB059F2-FEC4-4180-8A90-39965495055E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:sql_developer:*:*:*:*:*:*:*:*", matchCriteriaId: "FA1BEAE3-B299-433E-A922-7F226B037D87", versionEndExcluding: "21.99", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "04BCDC24-4A21-473C-8733-0D9CFB38A752", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", }, { lang: "es", value: "Apache HttpClient versiones anteriores a 4.5.13 y 5.0.3, pueden interpretar inapropiadamente el componente authority malformado en las peticiones URI pasadas ??a la biblioteca como objeto java.net.URI y elegir el host de destino equivocado para una ejecución de la petición", }, ], id: "CVE-2020-13956", lastModified: "2024-11-21T05:02:13.933", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-12-02T17:15:14.547", references: [ { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r03bbc318c81be21f5c8a9b85e34f2ecc741aa804a8e43b0ef2c37749%40%3Cissues.maven.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r043a75acdeb52b15dd5e9524cdadef4202e6a5228644206acf9363f9%40%3Cdev.hive.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r06cf3ca5c8ceb94b39cd24a73d4e96153b485a7dac88444dd876accb%40%3Cissues.drill.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r0a75b8f0f72f3e18442dc56d33f3827b905f2fe5b7ba48997436f5d1%40%3Cissues.solr.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r0bebe6f9808ac7bdf572873b4fa96a29c6398c90dab29f131f3ebffe%40%3Cissues.solr.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r12cb62751b35bdcda0ae2a08b67877d665a1f4d41eee0fa7367169e0%40%3Cdev.ranger.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r132e4c6a560cfc519caa1aaee63bdd4036327610eadbd89f76dd5457%40%3Cdev.creadur.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r2835543ef0f91adcc47da72389b816e36936f584c7be584d2314fac3%40%3Cissues.lucene.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r2a03dc210231d7e852ef73015f71792ac0fcaca6cccc024c522ef17d%40%3Ccommits.creadur.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r2dc7930b43eadc78220d269b79e13ecd387e4bee52db67b2f47d4303%40%3Cgitbox.hive.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r34178ab6ef106bc940665fd3f4ba5026fac3603b3fa2aefafa0b619d%40%3Cdev.ranger.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r34efec51cb817397ccf9f86e25a75676d435ba5f83ee7b2eabdad707%40%3Ccommits.creadur.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r3cecd59fba74404cbf4eb430135e1080897fb376f111406a78bed13a%40%3Cissues.lucene.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r3f740e4c38bba1face49078aa5cbeeb558c27be601cc9712ad2dcd1e%40%3Ccommits.creadur.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r4850b3fbaea02fde2886e461005e4af8d37c80a48b3ce2a6edca0e30%40%3Cissues.solr.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r549ac8c159bf0c568c19670bedeb8d7c0074beded951d34b1c1d0d05%40%3Cdev.drill.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r55b2a1d1e9b1ec9db792b93da8f0f99a4fd5a5310b02673359d9b4d1%40%3Cdev.drill.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r5b55f65c123a7481104d663a915ec45a0d103e6aaa03f42ed1c07a89%40%3Cdev.jackrabbit.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r5de3d3808e7b5028df966e45115e006456c4e8931dc1e29036f17927%40%3Cissues.solr.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r5fec9c1d67f928179adf484b01e7becd7c0a6fdfe3a08f92ea743b90%40%3Cissues.hive.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r63296c45d5d84447babaf39bd1487329d8a80d8d563e67a4b6f3d8a7%40%3Cdev.ranger.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r69a94e2f302d1b778bdfefe90fcb4b8c50b226438c3c8c1d0de85a19%40%3Cdev.ranger.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r6a3cda38d050ebe13c1bc9a28d0a8ec38945095d07eca49046bcb89f%40%3Cissues.solr.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r6d672b46622842e565e00f6ef6bef83eb55d8792aac2bee75bff9a2a%40%3Cissues.lucene.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r6dab7da30f8bf075f79ee189e33b45a197502e2676481bb8787fc0d7%40%3Cdev.hc.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r6eb2dae157dbc9af1f30d1f64e9c60d4ebef618f3dce4a0e32d6ea4d%40%3Ccommits.drill.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r70c429923100c5a4fae8e5bc71c8a2d39af3de4888f50a0ac3755e6f%40%3Ccommits.creadur.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r87ddc09295c27f25471269ad0a79433a91224045988b88f0413a97ec%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r8aa1e5c343b89aec5b69961471950e862f15246cb6392910161c389b%40%3Cissues.maven.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r9e52a6c72c8365000ecd035e48cc9fee5a677a150350d4420c46443d%40%3Cdev.drill.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/ra539f20ef0fb0c27ee39945b5f56bf162e5c13d1c60f7344dab8de3b%40%3Cissues.maven.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/ra8bc6b61c5df301a6fe5a716315528ecd17ccb8a7f907e24a47a1a5e%40%3Cissues.lucene.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rad6222134183046f3928f733bf680919e0c390739bfbfe6c90049673%40%3Cissues.drill.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rae14ae25ff4a60251e3ba2629c082c5ba3851dfd4d21218b99b56652%40%3Cissues.solr.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381%40%3Ccommits.turbine.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rb4ba262d6f08ab9cf8b1ebbcd9b00b0368ffe90dad7ad7918b4b56fc%40%3Cdev.drill.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rb725052404fabffbe093c83b2c46f3f87e12c3193a82379afbc529f8%40%3Csolr-user.lucene.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rc0863892ccfd9fd0d0ae10091f24ee769fb39b8957fe4ebabfc11f17%40%3Cdev.jackrabbit.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rc3739e0ad4bcf1888c6925233bfc37dd71156bbc8416604833095c42%40%3Cdev.drill.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rc505fee574fe8d18f9b0c655a4d120b0ae21bb6a73b96003e1d9be35%40%3Cissues.solr.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rc5c6ccb86d2afe46bbd4b71573f0448dc1f87bbcd5a0d8c7f8f904b2%40%3Cissues.lucene.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rc990e2462ec32b09523deafb2c73606208599e196fa2d7f50bdbc587%40%3Cissues.maven.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rcced7ed3237c29cd19c1e9bf465d0038b8b2e967b99fc283db7ca553%40%3Cdev.ranger.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rcd9ad5dda60c82ab0d0c9bd3e9cb1dc740804451fc20c7f451ef5cc4%40%3Cgitbox.hive.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rd5ab56beb2ac6879f6ab427bc4e5f7691aed8362d17b713f61779858%40%3Cissues.hive.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/re504acd4d63b8df2a7353658f45c9a3137e5f80e41cf7de50058b2c1%40%3Cissues.solr.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rea3dbf633dde5008d38bf6600a3738b9216e733e03f9ff7becf79625%40%3Cissues.drill.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/ree942561f4620313c75982a4e5f3b74fe6f7062b073210779648eec2%40%3Cissues.lucene.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/reef569c2419705754a3acf42b5f19b2a158153cef0e448158bc54917%40%3Cdev.drill.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rf03228972e56cb4a03e6d9558188c2938078cf3ceb23a3fead87c9ca%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rf43d17ed0d1fb4fb79036b582810ef60b18b1ef3add0d5dea825af1e%40%3Cissues.lucene.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rf4db88c22e1be9eb60c7dc623d0528642c045fb196a24774ac2fa3a3%40%3Cissues.lucene.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rf7ca60f78f05b772cc07d27e31bcd112f9910a05caf9095e38ee150f%40%3Cdev.ranger.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rfb35f6db9ba1f1e061b63769a4eff5abadcc254ebfefc280e5a0dcf1%40%3Ccommits.creadur.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rfbedcb586a1e7dfce87ee03c720e583fc2ceeafa05f35c542cecc624%40%3Cissues.solr.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rfc00884c7b7ca878297bffe45fcb742c362b00b26ba37070706d44c3%40%3Cissues.hive.apache.org%3E", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0002/", }, { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r03bbc318c81be21f5c8a9b85e34f2ecc741aa804a8e43b0ef2c37749%40%3Cissues.maven.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r043a75acdeb52b15dd5e9524cdadef4202e6a5228644206acf9363f9%40%3Cdev.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r06cf3ca5c8ceb94b39cd24a73d4e96153b485a7dac88444dd876accb%40%3Cissues.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r0a75b8f0f72f3e18442dc56d33f3827b905f2fe5b7ba48997436f5d1%40%3Cissues.solr.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r0bebe6f9808ac7bdf572873b4fa96a29c6398c90dab29f131f3ebffe%40%3Cissues.solr.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r12cb62751b35bdcda0ae2a08b67877d665a1f4d41eee0fa7367169e0%40%3Cdev.ranger.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r132e4c6a560cfc519caa1aaee63bdd4036327610eadbd89f76dd5457%40%3Cdev.creadur.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2835543ef0f91adcc47da72389b816e36936f584c7be584d2314fac3%40%3Cissues.lucene.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2a03dc210231d7e852ef73015f71792ac0fcaca6cccc024c522ef17d%40%3Ccommits.creadur.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2dc7930b43eadc78220d269b79e13ecd387e4bee52db67b2f47d4303%40%3Cgitbox.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r34178ab6ef106bc940665fd3f4ba5026fac3603b3fa2aefafa0b619d%40%3Cdev.ranger.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r34efec51cb817397ccf9f86e25a75676d435ba5f83ee7b2eabdad707%40%3Ccommits.creadur.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r3cecd59fba74404cbf4eb430135e1080897fb376f111406a78bed13a%40%3Cissues.lucene.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r3f740e4c38bba1face49078aa5cbeeb558c27be601cc9712ad2dcd1e%40%3Ccommits.creadur.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r4850b3fbaea02fde2886e461005e4af8d37c80a48b3ce2a6edca0e30%40%3Cissues.solr.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r549ac8c159bf0c568c19670bedeb8d7c0074beded951d34b1c1d0d05%40%3Cdev.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r55b2a1d1e9b1ec9db792b93da8f0f99a4fd5a5310b02673359d9b4d1%40%3Cdev.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5b55f65c123a7481104d663a915ec45a0d103e6aaa03f42ed1c07a89%40%3Cdev.jackrabbit.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5de3d3808e7b5028df966e45115e006456c4e8931dc1e29036f17927%40%3Cissues.solr.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5fec9c1d67f928179adf484b01e7becd7c0a6fdfe3a08f92ea743b90%40%3Cissues.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r63296c45d5d84447babaf39bd1487329d8a80d8d563e67a4b6f3d8a7%40%3Cdev.ranger.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r69a94e2f302d1b778bdfefe90fcb4b8c50b226438c3c8c1d0de85a19%40%3Cdev.ranger.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r6a3cda38d050ebe13c1bc9a28d0a8ec38945095d07eca49046bcb89f%40%3Cissues.solr.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r6d672b46622842e565e00f6ef6bef83eb55d8792aac2bee75bff9a2a%40%3Cissues.lucene.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread.html/r6dab7da30f8bf075f79ee189e33b45a197502e2676481bb8787fc0d7%40%3Cdev.hc.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r6eb2dae157dbc9af1f30d1f64e9c60d4ebef618f3dce4a0e32d6ea4d%40%3Ccommits.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r70c429923100c5a4fae8e5bc71c8a2d39af3de4888f50a0ac3755e6f%40%3Ccommits.creadur.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r87ddc09295c27f25471269ad0a79433a91224045988b88f0413a97ec%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r8aa1e5c343b89aec5b69961471950e862f15246cb6392910161c389b%40%3Cissues.maven.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r9e52a6c72c8365000ecd035e48cc9fee5a677a150350d4420c46443d%40%3Cdev.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra539f20ef0fb0c27ee39945b5f56bf162e5c13d1c60f7344dab8de3b%40%3Cissues.maven.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra8bc6b61c5df301a6fe5a716315528ecd17ccb8a7f907e24a47a1a5e%40%3Cissues.lucene.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rad6222134183046f3928f733bf680919e0c390739bfbfe6c90049673%40%3Cissues.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rae14ae25ff4a60251e3ba2629c082c5ba3851dfd4d21218b99b56652%40%3Cissues.solr.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381%40%3Ccommits.turbine.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb4ba262d6f08ab9cf8b1ebbcd9b00b0368ffe90dad7ad7918b4b56fc%40%3Cdev.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb725052404fabffbe093c83b2c46f3f87e12c3193a82379afbc529f8%40%3Csolr-user.lucene.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc0863892ccfd9fd0d0ae10091f24ee769fb39b8957fe4ebabfc11f17%40%3Cdev.jackrabbit.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc3739e0ad4bcf1888c6925233bfc37dd71156bbc8416604833095c42%40%3Cdev.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc505fee574fe8d18f9b0c655a4d120b0ae21bb6a73b96003e1d9be35%40%3Cissues.solr.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc5c6ccb86d2afe46bbd4b71573f0448dc1f87bbcd5a0d8c7f8f904b2%40%3Cissues.lucene.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc990e2462ec32b09523deafb2c73606208599e196fa2d7f50bdbc587%40%3Cissues.maven.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rcced7ed3237c29cd19c1e9bf465d0038b8b2e967b99fc283db7ca553%40%3Cdev.ranger.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rcd9ad5dda60c82ab0d0c9bd3e9cb1dc740804451fc20c7f451ef5cc4%40%3Cgitbox.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd5ab56beb2ac6879f6ab427bc4e5f7691aed8362d17b713f61779858%40%3Cissues.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/re504acd4d63b8df2a7353658f45c9a3137e5f80e41cf7de50058b2c1%40%3Cissues.solr.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rea3dbf633dde5008d38bf6600a3738b9216e733e03f9ff7becf79625%40%3Cissues.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ree942561f4620313c75982a4e5f3b74fe6f7062b073210779648eec2%40%3Cissues.lucene.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/reef569c2419705754a3acf42b5f19b2a158153cef0e448158bc54917%40%3Cdev.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf03228972e56cb4a03e6d9558188c2938078cf3ceb23a3fead87c9ca%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf43d17ed0d1fb4fb79036b582810ef60b18b1ef3add0d5dea825af1e%40%3Cissues.lucene.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf4db88c22e1be9eb60c7dc623d0528642c045fb196a24774ac2fa3a3%40%3Cissues.lucene.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf7ca60f78f05b772cc07d27e31bcd112f9910a05caf9095e38ee150f%40%3Cdev.ranger.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rfb35f6db9ba1f1e061b63769a4eff5abadcc254ebfefc280e5a0dcf1%40%3Ccommits.creadur.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rfbedcb586a1e7dfce87ee03c720e583fc2ceeafa05f35c542cecc624%40%3Cissues.solr.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rfc00884c7b7ca878297bffe45fcb742c362b00b26ba37070706d44c3%40%3Cissues.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0002/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-10-04 11:15
Modified
2024-11-21 07:39
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "77E10BE3-2878-4766-81B6-F20A28986885", versionEndExcluding: "2.13.8", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.", }, { lang: "es", value: "Se encontró un defecto en Quarkus. Quarkus OIDC puede filtrar tanto ID como tokens de acceso en el flujo del código de autorización cuando se utiliza un protocolo HTTP inseguro, lo que puede permitir a los atacantes acceder a datos confidenciales del usuario directamente desde el token de ID o utilizando el token de acceso para acceder a los datos del usuario desde los servicios del proveedor OIDC. . Tenga en cuenta que las contraseñas no se almacenan en tokens de acceso.", }, ], id: "CVE-2023-1584", lastModified: "2024-11-21T07:39:29.470", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "secalert@redhat.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-10-04T11:15:09.770", references: [ { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:3809", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2023:7653", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-1584", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180886", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://github.com/quarkusio/quarkus/pull/32192", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://github.com/quarkusio/quarkus/pull/33414", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:3809", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2023:7653", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-1584", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180886", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/quarkusio/quarkus/pull/32192", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/quarkusio/quarkus/pull/33414", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-08-05 21:15
Modified
2024-11-21 06:22
Severity ?
Summary
A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1981407 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1981407 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | wildfly_elytron | * | |
| redhat | wildfly_elytron | * | |
| redhat | wildfly_elytron | * | |
| redhat | build_of_quarkus | - | |
| redhat | codeready_studio | 12.0 | |
| redhat | data_grid | 8.0 | |
| redhat | descision_manager | 7.0 | |
| redhat | integration_camel_k | - | |
| redhat | integration_camel_quarkus | * | |
| redhat | jboss_enterprise_application_platform | 7.0.0 | |
| redhat | jboss_enterprise_application_platform_expansion_pack | - | |
| redhat | jboss_fuse | 7.0.0 | |
| redhat | openshift_application_runtimes | - | |
| redhat | process_automation | 7.0 | |
| quarkus | quarkus | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:wildfly_elytron:*:*:*:*:*:*:*:*", matchCriteriaId: "3CB7C68F-D18A-4F07-8505-4B116A719CE3", versionEndExcluding: "1.10.14", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:wildfly_elytron:*:*:*:*:*:*:*:*", matchCriteriaId: "B84CCC98-0A89-4B0E-BBBF-D31F274454E8", versionEndExcluding: "1.15.5", versionStartIncluding: "1.11.0", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:wildfly_elytron:*:*:*:*:*:*:*:*", matchCriteriaId: "23DE02D1-460C-4EE2-B7CA-E8FF2BAB928D", versionEndExcluding: "1.16.1", versionStartIncluding: "1.16.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*", matchCriteriaId: "CE29B9D6-63DC-4779-ACE8-4E51E6A0AF37", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:codeready_studio:12.0:*:*:*:*:*:*:*", matchCriteriaId: "1BAF877F-B8D5-4313-AC5C-26BB82006B30", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:*", matchCriteriaId: "7095200A-4DAC-4433-99E8-86CA88E1E4D4", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:descision_manager:7.0:*:*:*:*:*:*:*", matchCriteriaId: "D5863BBF-829E-44EF-ACE8-61D5037251F6", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*", matchCriteriaId: "B87C8AD3-8878-4546-86C2-BF411876648C", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:integration_camel_quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "5FC54571-8F52-434F-BE20-96ECFC7195F7", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*", matchCriteriaId: "72A54BDA-311C-413B-8E4D-388AD65A170A", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*", matchCriteriaId: "0A24CBFB-4900-47A5-88D2-A44C929603DC", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*", matchCriteriaId: "B40CCE4F-EA2C-453D-BB76-6388767E5C6D", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*", matchCriteriaId: "A33441B3-B301-426C-A976-08CE5FE72EFB", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*", matchCriteriaId: "20A6B40D-F991-4712-8E30-5FE008505CB7", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "68DC3D37-B532-4EEC-8D38-2710EBE2F85B", versionEndIncluding: "2.1.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.", }, { lang: "es", value: "Se ha detectado un fallo en Wildfly Elytron en versiones anteriores a 1.10.14.Final, en versiones anteriores a la 1.15.5.Final y en versiones anteriores a la 1.16.1.Final donde ScramServer puede ser susceptible a Timing Attack si está habilitado. La mayor amenaza de esta vulnerabilidad es la confidencialidad.", }, ], id: "CVE-2021-3642", lastModified: "2024-11-21T06:22:03.467", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 3.5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-08-05T21:15:13.183", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1981407", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1981407", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-203", }, ], source: "secalert@redhat.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-203", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2020-04-06 14:15
Modified
2024-11-21 05:11
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary
A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728 | Issue Tracking, Vendor Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*", matchCriteriaId: "42BBD73E-2B89-48B7-95F0-187128579D86", versionEndExcluding: "10.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "DAD20C55-1888-477C-923F-B25E8B5CD239", versionEndIncluding: "1.4.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.", }, { lang: "es", value: "Se detectó una vulnerabilidad en todas las versiones de Keycloak donde, las páginas en el área Admin Console de la aplicación, carecen completamente de encabezados de seguridad HTTP generales en las respuestas HTTP. Esto no conlleva directamente a un problema de seguridad, sin embargo podría ayudar a atacantes en sus esfuerzos para explotar otros problemas. Los fallos innecesariamente hacen a los servidores más propensos a un secuestro del cliqueo, ataques de degradación de canal y otros vectores de ataque similares basados en el cliente.", }, ], id: "CVE-2020-1728", lastModified: "2024-11-21T05:11:15.290", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 2.5, source: "secalert@redhat.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-04-06T14:15:12.607", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1728", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-358", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-1021", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-02-18 16:15
Modified
2024-11-21 05:22
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| fasterxml | jackson-dataformats-binary | * | |
| fasterxml | jackson-dataformats-binary | * | |
| fasterxml | jackson-dataformats-binary | 2.12.0 | |
| fasterxml | jackson-dataformats-binary | 2.12.0 | |
| fasterxml | jackson-dataformats-binary | 2.12.0 | |
| quarkus | quarkus | * | |
| oracle | weblogic_server | 12.2.1.3.0 | |
| oracle | weblogic_server | 12.2.1.4.0 | |
| oracle | weblogic_server | 14.1.1.0.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:fasterxml:jackson-dataformats-binary:*:*:*:*:*:*:*:*", matchCriteriaId: "6621426E-1001-48B0-BEFD-F032AFC27526", versionEndExcluding: "2.11.4", vulnerable: true, }, { criteria: "cpe:2.3:a:fasterxml:jackson-dataformats-binary:*:*:*:*:*:*:*:*", matchCriteriaId: "DC85B4D7-6952-41AA-822C-7045F6352300", versionEndExcluding: "2.12.1", versionStartExcluding: "2.12.0", vulnerable: true, }, { criteria: "cpe:2.3:a:fasterxml:jackson-dataformats-binary:2.12.0:-:*:*:*:*:*:*", matchCriteriaId: "7FBFAC5C-3C12-4F2B-AFA2-38A5D0867F6F", vulnerable: true, }, { criteria: "cpe:2.3:a:fasterxml:jackson-dataformats-binary:2.12.0:rc1:*:*:*:*:*:*", matchCriteriaId: "AE827068-6625-4634-9385-3672AB9096F5", vulnerable: true, }, { criteria: "cpe:2.3:a:fasterxml:jackson-dataformats-binary:2.12.0:rc2:*:*:*:*:*:*", matchCriteriaId: "2AD45DB3-F35D-486A-B43B-8B71F4CFE221", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "237329EB-B10C-47DC-8D7B-2B98D21E6CE8", versionEndExcluding: "2.0.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "F14A818F-AA16-4438-A3E4-E64C9287AC66", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "04BCDC24-4A21-473C-8733-0D9CFB38A752", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.", }, { lang: "es", value: "Esto afecta al paquete com.fasterxml.jackson.dataformat:jackson-dataformat-cbor versiones desde 0 y anteriores a 2.11.4, versiones desde 2.12.0-rc1 y anteriores a 2.12.1. Una asignación no comprobada de búfer de bytes puede causar una excepción de java.lang.OutOfMemoryError", }, ], id: "CVE-2020-28491", lastModified: "2024-11-21T05:22:53.697", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "report@snyk.io", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-02-18T16:15:13.207", references: [ { source: "report@snyk.io", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6", }, { source: "report@snyk.io", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/FasterXML/jackson-dataformats-binary/issues/186", }, { source: "report@snyk.io", tags: [ "Patch", "Third Party Advisory", ], url: "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329", }, { source: "report@snyk.io", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/FasterXML/jackson-dataformats-binary/issues/186", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], sourceIdentifier: "report@snyk.io", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-770", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-05-26 21:15
Modified
2024-11-21 05:18
Severity ?
Summary
A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided. This flaw allows an attacker to gain access to privileged information. The highest threat from this vulnerability is to confidentiality and integrity. Versions before resteasy 2.0.0.Alpha3 are affected.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1899354 | Issue Tracking, Vendor Advisory | |
| secalert@redhat.com | https://security.netapp.com/advisory/ntap-20210702-0003/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1899354 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20210702-0003/ | Third Party Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:resteasy:*:*:*:*:*:*:*:*", matchCriteriaId: "11F11745-4735-43A8-B94B-F262E3248225", versionEndExcluding: "2.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:resteasy:2.0.0:alpha1:*:*:*:*:*:*", matchCriteriaId: "C58E1EC1-8340-422E-99F3-CCDB290AD8B6", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:resteasy:2.0.0:alpha2:*:*:*:*:*:*", matchCriteriaId: "3FA3AD77-B58D-4F0F-A6BF-CAA2E5F41D91", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "72CAE44C-9314-4931-82DE-F8F5C8787C3D", versionEndExcluding: "1.11.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided. This flaw allows an attacker to gain access to privileged information. The highest threat from this vulnerability is to confidentiality and integrity. Versions before resteasy 2.0.0.Alpha3 are affected.", }, { lang: "es", value: "Se encontró un fallo en RESTEasy, donde es proporcionada una respuesta incorrecta para una petición HTTP. Este fallo permite a un atacante conseguir acceso a información privilegiada. La mayor amenaza de esta vulnerabilidad es la confidencialidad y la integridad. Las versiones anteriores a resteasy versión 2.0.0.Alpha3 están afectadas", }, ], id: "CVE-2020-25724", lastModified: "2024-11-21T05:18:35.000", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-05-26T21:15:08.107", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1899354", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210702-0003/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1899354", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210702-0003/", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-567", }, ], source: "secalert@redhat.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-04-13 20:15
Modified
2024-11-21 06:01
Severity ?
8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the "A Confusing Dependency" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://docs.gradle.org/7.0/release-notes.html#security-advisories | Release Notes, Vendor Advisory | |
| security-advisories@github.com | https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.gradle.org/7.0/release-notes.html#security-advisories | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395 | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:gradle:gradle:*:*:*:*:*:*:*:*", matchCriteriaId: "76D1A1A2-F95B-481D-8EAE-9E54EF5B1F1B", versionEndExcluding: "7.0", versionStartIncluding: "5.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "EF712520-1CFD-473A-B3F5-3CDDFE9C2C9A", versionEndIncluding: "2.2.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the \"A Confusing Dependency\" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.", }, { lang: "es", value: "En Gradle desde versión 5.1 y anterior a la versión 7.0, se presenta una vulnerabilidad que puede conducir a la divulgación de información y/o envenenamiento por dependencia. El filtrado de contenido del repositorio es un control de seguridad que Gradle introdujo para ayudar a los usuarios a especificar qué repositorios se usan para resolver dependencias específicas. Esta función se introdujo a raíz de la publicación de blog \"A Confusing Dependency\". En algunos casos, Gradle puede ignorar los filtros de contenido y buscar dependencias en todos los repositorios. Esto solo ocurre cuando el filtrado de contenido del repositorio se usa dentro de un bloque `pluginManagement` en un archivo de configuración. Esto puede cambiar la forma en que se resuelven las dependencias para los plugins de Gradle y los scripts de compilación. Para las compilaciones que son vulnerables, existen dos riesgos: 1) Divulgación de información: Gradle podría realizar peticiones de dependencia a repositorios fuera de su organización y filtrar identificadores de paquetes internos. 2) Envenenamiento por Dependencia / Confusión de Dependencia: Gradle podría descargar un binario malicioso de un repositorio fuera de su organización debido a la ocupación ilegal de nombres. Para obtener un ejemplo completo y más detalles, consulte el Aviso de seguridad de GitHub al que se hace referencia. El problema se ha corregido y publicado con Gradle versión 7.0. Los usuarios que confían en esta función deben actualizar su compilación lo antes posible. Como solución alternativa, los usuarios pueden utilizar un repositorio de la empresa que tenga las reglas adecuadas para recuperar paquetes de repositorios públicos, o utilizar el filtrado de contenido del repositorio a nivel de proyecto, dentro de `buildscript.repositories`. Esta opción está disponible desde Gradle versión 5.1 cuando se introdujo la función", }, ], id: "CVE-2021-29427", lastModified: "2024-11-21T06:01:04.433", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.3, impactScore: 6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.2, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-04-13T20:15:21.703", references: [ { source: "security-advisories@github.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://docs.gradle.org/7.0/release-notes.html#security-advisories", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://docs.gradle.org/7.0/release-notes.html#security-advisories", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-829", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-10-19 15:15
Modified
2024-11-21 06:14
Severity ?
Summary
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", matchCriteriaId: "FF41DE29-2A17-4085-9F00-811E461E36EC", versionEndExcluding: "4.1.68", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "6677F86F-5933-460E-B978-23A4C1407CB0", versionEndExcluding: "2.2.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:banking_apis:*:*:*:*:*:*:*:*", matchCriteriaId: "6DF2D056-3118-4C31-BEDD-69F016898CBB", versionEndIncluding: "18.3", versionStartIncluding: "18.1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*", matchCriteriaId: "CF34B11F-3DE1-4C22-8EB1-AEE5CE5E4172", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*", matchCriteriaId: "86F03B63-F922-45CD-A7D1-326DB0042875", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*", matchCriteriaId: "7CBFC93F-8B39-45A2-981C-59B187169BD4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*", matchCriteriaId: "0843465C-F940-4FFC-998D-9A2668B75EA0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*", matchCriteriaId: "BBE7BF09-B89C-4590-821E-6C0587E096B5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*", matchCriteriaId: "ADAE8A71-0BCD-42D5-B38C-9B2A27CC1E6B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*", matchCriteriaId: "E7231D2D-4092-44F3-B60A-D7C9ED78AFDF", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*", matchCriteriaId: "F7BDFC10-45A0-46D8-AB92-4A5E2C1C76ED", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*", matchCriteriaId: "18127694-109C-4E7E-AE79-0BA351849291", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*", matchCriteriaId: "33F68878-BC19-4DB8-8A72-BD9FE3D0ACEC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*", matchCriteriaId: "0D6895A6-511A-4DC6-9F9B-58E05B86BDB1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "2FF57C7A-92C9-4D71-A7B1-CC9DEFAA8193", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "5FA64A1D-34F9-4441-857A-25C165E6DBB6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*", matchCriteriaId: "2A3622F5-5976-4BBC-A147-FC8A6431EA79", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:*", matchCriteriaId: "6894D860-000E-439D-8AB7-07E9B2ACC31B", versionEndExcluding: "12.0.0.4.6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12:0.0.5.0:*:*:*:*:*:*", matchCriteriaId: "701B1B1D-A36F-4B73-B16D-F6574DF43754", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*", matchCriteriaId: "B6B6FE82-7BFA-481D-99D6-789B146CA18B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*", matchCriteriaId: "10323322-F6C0-4EA7-9344-736F7A80AA5F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*", matchCriteriaId: "3AA09838-BF13-46AC-BB97-A69F48B73A8A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*", matchCriteriaId: "B4367D9B-BF81-47AD-A840-AC46317C774D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*", matchCriteriaId: "BD4349FE-EEF8-489A-8ABF-5FCD55EC6DE0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*", matchCriteriaId: "C6EAA723-2A23-4151-930B-86ACF9CC1C0C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", matchCriteriaId: "590ADE5F-0D0F-4576-8BA6-828758823442", versionEndIncluding: "8.5.0.2", versionStartIncluding: "8.0.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_instant_messaging_server:8.1:*:*:*:*:*:*:*", matchCriteriaId: "47CE14F1-7E98-4C3B-A817-C54273F23464", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:*", matchCriteriaId: "4E7626D2-D9FF-416A-9581-852CED0D8C24", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:*", matchCriteriaId: "99344A5D-F4B7-49B4-9AE6-0E2FB3874EA5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.48:*:*:*:*:*:*:*", matchCriteriaId: "7C098860-0862-4C5B-8EE4-9469D5D01815", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", matchCriteriaId: "7E1E416B-920B-49A0-9523-382898C2979D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", matchCriteriaId: "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "D6A4F71A-4269-40FC-8F61-1D1301F2B728", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "5A502118-5B2B-47AE-82EC-1999BD841103", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", matchCriteriaId: "F1BE6C1F-2565-4E97-92AA-16563E5660A5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack", }, { lang: "es", value: "La función Bzip2 decompression decoder no permite establecer restricciones de tamaño en los datos de salida descomprimidos (lo que afecta al tamaño de asignación usado durante la descompresión). Todos los usuarios de Bzip2Decoder están afectados. La entrada maliciosa puede desencadenar un OOME y así un ataque de DoS", }, ], id: "CVE-2021-37136", lastModified: "2024-11-21T06:14:42.867", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-10-19T15:15:07.697", references: [ { source: "reefs@jfrog.com", tags: [ "Third Party Advisory", ], url: "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", }, { source: "reefs@jfrog.com", url: "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E", }, { source: "reefs@jfrog.com", url: "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E", }, { source: "reefs@jfrog.com", url: "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E", }, { source: "reefs@jfrog.com", url: "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E", }, { source: "reefs@jfrog.com", url: "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E", }, { source: "reefs@jfrog.com", url: "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E", }, { source: "reefs@jfrog.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html", }, { source: "reefs@jfrog.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0012/", }, { source: "reefs@jfrog.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2023/dsa-5316", }, { source: "reefs@jfrog.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "reefs@jfrog.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "reefs@jfrog.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0012/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2023/dsa-5316", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], sourceIdentifier: "reefs@jfrog.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "reefs@jfrog.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-400", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-12-02 15:15
Modified
2025-04-23 20:15
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| hibernate | hibernate_orm | * | |
| hibernate | hibernate_orm | * | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 | |
| quarkus | quarkus | * | |
| oracle | communications_cloud_native_core_console | 1.9.0 | |
| oracle | retail_customer_management_and_segmentation_foundation | 19.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:hibernate:hibernate_orm:*:*:*:*:*:*:*:*", matchCriteriaId: "BD3F836E-0018-4430-9FDD-235EA0F03F8D", versionEndExcluding: "5.3.20", vulnerable: true, }, { criteria: "cpe:2.3:a:hibernate:hibernate_orm:*:*:*:*:*:*:*:*", matchCriteriaId: "355B45AF-42E0-4D63-969F-96FFEF16103B", versionEndExcluding: "5.4.24", versionStartIncluding: "5.4.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "1809D7D8-574D-4524-90A6-4C0B163E5630", versionEndIncluding: "1.9.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*", matchCriteriaId: "DAAB7154-4DE8-4806-86D0-C1D33B84417B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:19.0:*:*:*:*:*:*:*", matchCriteriaId: "9EFAEA84-E376-40A2-8C9F-3E0676FEC527", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.", }, { lang: "es", value: "Se encontró un fallo en hibernate-core en versiones anteriores a 5.4.23.Final incluyéndola. Una inyección SQL en la implementación de la API de criterios de JPA puede permitir literales no saneados cuando es usado un literal en los comentarios de SQL de la consulta. Este fallo podría permitir a un atacante acceder a información no autorizada o posiblemente conducir más ataques. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos", }, ], id: "CVE-2020-25638", lastModified: "2025-04-23T20:15:19.037", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.2, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2020-12-02T15:15:12.377", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1881353", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df%40%3Ccommits.turbine.apache.org%3E", }, { source: "secalert@redhat.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2021/dsa-4908", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1881353", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf2378209c676a28b71f9b604a3b3517c448540b85367160e558ef9df%40%3Ccommits.turbine.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2021/01/msg00000.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2021/dsa-4908", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2021-03-09 19:15
Modified
2024-11-21 05:47
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| netty | netty | * | |
| netapp | oncommand_api_services | - | |
| netapp | oncommand_workflow_automation | - | |
| debian | debian_linux | 10.0 | |
| quarkus | quarkus | * | |
| apache | kudu | * | |
| apache | zookeeper | 3.5.9 | |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", matchCriteriaId: "635A35A3-F02B-44CC-BB81-48C97F1612B1", versionEndExcluding: "4.1.60", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*", matchCriteriaId: "5EC98B22-FFAA-4B59-8E63-EBAA4336AD13", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "64839EBF-078E-492A-897C-9AFFB7678ED8", versionEndIncluding: "1.13.7", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:kudu:*:*:*:*:*:*:*:*", matchCriteriaId: "A868228B-8AA3-4A4D-B3B4-9344854B94F2", versionEndExcluding: "1.16.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.9:*:*:*:*:*:*:*", matchCriteriaId: "C6D906AE-B5F6-4CD6-8018-F6FFF7A49913", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*", matchCriteriaId: "4479F76A-4B67-41CC-98C7-C76B81050F8E", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.", }, { lang: "es", value: "Netty es un framework de aplicación de red de código abierto y controlado por eventos asíncronos para el desarrollo rápido de servidores y clientes de protocolo de alto rendimiento mantenibles. En Netty (io.netty: netty-codec-http2) versiones anteriores a la versión 4.1.60.Final, se presenta una vulnerabilidad que permite el tráfico de peticiones. Si existe un encabezado Content-Length en la petición HTTP/2 original, el campo no es comprobado por \"Http2MultiplexHandler\" a medida que se propaga. Esto está bien siempre que la petición no se transmita como HTTP/1.1. Si la petición llega como una secuencia HTTP/2, se convierte en los objetos de dominio HTTP/1.1 (\"HttpRequest\", \"HttpContent\", etc.) por medio de \"Http2StreamFrameToHttpObjectCodec\" y luego se envía al pipeline del canal secundario y al proxy mediante un peer remoto como HTTP/1.1, esto puede resultar en el tráfico de peticiones. En un caso de proxy, los usuarios pueden asumir que la longitud del contenido está comprobada de alguna forma, lo que no es el caso. Si la petición se reenvía a un canal de backend que es una conexión HTTP/1.1, la longitud del contenido ahora tiene significado y debe verificarse. Un atacante puede traficar peticiones dentro del cuerpo a medida que se degrada de HTTP/2 a HTTP/1.1. Para visualizar un ejemplo de ataque, consulte el Aviso de GitHub vinculado. Los usuarios solo están afectados si todo esto es cierto: se usa \"HTTP2MultiplexCodec\" o \"Http2FrameCodec\", se usa \"Http2StreamFrameToHttpObjectCodec\" para convertir a objetos HTTP/1.1, y estos objetos HTTP/1.1 se reenvían a otro par remoto. Esto ha sido parcheado en la versión 4.1.60.Final. Como solución, el usuario puede hacer la comprobación por sí mismo implementando un \"ChannelInboundHandler\" personalizado que se coloca en el \"ChannelPipeline\" detrás de \"Http2StreamFrameToHttpObjectCodec\"", }, ], id: "CVE-2021-21295", lastModified: "2024-11-21T05:47:57.530", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 4.9, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-03-09T19:15:12.657", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Netflix/zuul/pull/980", }, { source: "security-advisories@github.com", tags: [ "Patch", "Vendor Advisory", ], url: "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b%40%3Cissues.hbase.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969%40%3Cjira.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3Cdev.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1%40%3Cissues.hbase.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190%40%3Cissues.hbase.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece%40%3Cissues.hbase.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5%40%3Cdev.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064%40%3Cissues.hbase.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f%40%3Cjira.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3%40%3Cdev.jackrabbit.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3Cjira.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3Cjira.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c%40%3Cdev.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6%40%3Cissues.hbase.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf%40%3Cissues.hbase.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc%40%3Cjira.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd%40%3Cdev.hbase.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523%40%3Cjira.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81%40%3Cissues.hbase.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3Cdev.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3Ccommits.pulsar.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb%40%3Cissues.hbase.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f%40%3Cjira.kafka.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3Ccommits.pulsar.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8%40%3Ccommits.hbase.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E", }, { source: "security-advisories@github.com", url: "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171%40%3Cissues.zookeeper.apache.org%3E", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210604-0003/", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2021/dsa-4885", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/Netflix/zuul/pull/980", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b%40%3Cissues.hbase.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3Cdev.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1%40%3Cissues.hbase.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190%40%3Cissues.hbase.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece%40%3Cissues.hbase.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5%40%3Cdev.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064%40%3Cissues.hbase.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3%40%3Cdev.jackrabbit.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c%40%3Cdev.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6%40%3Cissues.hbase.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf%40%3Cissues.hbase.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd%40%3Cdev.hbase.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81%40%3Cissues.hbase.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3Cdev.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb%40%3Cissues.hbase.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8%40%3Ccommits.hbase.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210604-0003/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2021/dsa-4885", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-444", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-444", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-12-10 23:15
Modified
2024-11-21 05:39
Severity ?
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| guava | * | ||
| quarkus | quarkus | * | |
| oracle | commerce_guided_search | 11.3.2 | |
| oracle | communications_cloud_native_core_network_slice_selection_function | 1.2.1 | |
| oracle | communications_pricing_design_center | 12.0.0.4.0 | |
| oracle | communications_pricing_design_center | 12.0.0.5.0 | |
| oracle | data_integrator | 12.2.1.3.0 | |
| oracle | data_integrator | 12.2.1.4.0 | |
| oracle | nosql_database | * | |
| oracle | peoplesoft_enterprise_peopletools | 8.57 | |
| oracle | peoplesoft_enterprise_peopletools | 8.58 | |
| oracle | peoplesoft_enterprise_peopletools | 8.59 | |
| oracle | retail_customer_management_and_segmentation_foundation | * | |
| oracle | weblogic_server | 14.1.1.0.0 | |
| oracle | communications_cloud_native_core_network_repository_function | 1.14.0 | |
| oracle | primavera_unifier | * | |
| oracle | primavera_unifier | 18.8 | |
| oracle | primavera_unifier | 19.12 | |
| oracle | primavera_unifier | 20.12 | |
| oracle | primavera_unifier | 21.12 | |
| netapp | active_iq_unified_manager | - | |
| netapp | active_iq_unified_manager | - | |
| netapp | active_iq_unified_manager | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:google:guava:*:*:*:*:*:*:*:*", matchCriteriaId: "F0FA9B26-6D87-4FE1-B719-EC4770B5418D", versionEndExcluding: "32.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "89306BA8-9E5C-49F6-AB32-B78BE1D831F0", versionEndExcluding: "1.11.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*", matchCriteriaId: "2A3622F5-5976-4BBC-A147-FC8A6431EA79", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:*:*:*:*:*:*:*", matchCriteriaId: "ADE6EF8F-1F05-429B-A916-76FDB20CEB81", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.4.0:*:*:*:*:*:*:*", matchCriteriaId: "A28F42F0-FBDA-4574-AD30-7A04F27FEA3E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "129CA55C-C770-4D42-BD17-9011F3AC93C4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "9901F6BA-78D5-45B8-9409-07FF1C6DDD38", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "9FADE563-5AAA-42FF-B43F-35B20A2386C9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*", matchCriteriaId: "D04565AE-D092-4AE0-8FEE-0E8114662A1B", versionEndExcluding: "20.3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", matchCriteriaId: "7E1E416B-920B-49A0-9523-382898C2979D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", matchCriteriaId: "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:*", matchCriteriaId: "B92BB355-DB00-438E-84E5-8EC007009576", versionEndIncluding: "19.0", versionStartIncluding: "16.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "04BCDC24-4A21-473C-8733-0D9CFB38A752", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.14.0:*:*:*:*:*:*:*", matchCriteriaId: "8E463039-5E48-4AA0-A42B-081053FA0111", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*", matchCriteriaId: "08FA59A8-6A62-4B33-8952-D6E658F8DAC9", versionEndIncluding: "17.12", versionStartIncluding: "17.7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*", matchCriteriaId: "202AD518-2E9B-4062-B063-9858AE1F9CE2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*", matchCriteriaId: "10864586-270E-4ACF-BDCC-ECFCD299305F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*", matchCriteriaId: "38340E3C-C452-4370-86D4-355B6B4E0A06", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*", matchCriteriaId: "E9C55C69-E22E-4B80-9371-5CD821D79FE2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", matchCriteriaId: "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", matchCriteriaId: "B55E8D50-99B4-47EC-86F9-699B67D473CE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.\n\n", }, { lang: "es", value: "Se presenta una vulnerabilidad en la creación de directorios temporales en todas las versiones de Guava, que permite a un atacante con acceso a la máquina acceder potencialmente a los datos de un directorio temporal creado por la API de Guava com.google.common.io.Files.createTempDir(). Por defecto, en los sistemas de tipo unix, el directorio creado es legible por el mundo (legible por un atacante con acceso al sistema). El método en cuestión ha sido marcado como @Deprecated en las versiones 30.0 y posteriores y no debe ser utilizado. Para los desarrolladores de Android, recomendamos elegir una API de directorio temporal proporcionada por Android, como context.getCacheDir(). Para otros desarrolladores de Java, recomendamos migrar a la API de Java 7 java.nio.file.Files.createTempDirectory() que configura explícitamente los permisos de 700, o configurar la propiedad del sistema java.io.tmpdir del tiempo de ejecución de Java para que apunte a una ubicación cuyos permisos estén configurados adecuadamente", }, ], id: "CVE-2020-8908", lastModified: "2024-11-21T05:39:40.053", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.1, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:L/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 3.9, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 3.3, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 1.4, source: "cve-coordination@google.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 3.3, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-12-10T23:15:13.973", references: [ { source: "cve-coordination@google.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40", }, { source: "cve-coordination@google.com", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/google/guava/issues/4011", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14%40%3Cdev.drill.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54%40%3Cdev.drill.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e%40%3Ccommits.ws.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6%40%3Cyarn-issues.hadoop.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4%40%3Cdev.drill.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc%40%3Cissues.geode.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6%40%3Ccommits.cxf.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27%40%3Cyarn-dev.hadoop.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44%40%3Cissues.geode.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199%40%3Cyarn-issues.hadoop.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a%40%3Cdev.drill.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222%40%3Ccommits.ws.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c%40%3Cissues.hive.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09%40%3Cyarn-issues.hadoop.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3%40%3Cyarn-issues.hadoop.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322%40%3Cgitbox.hive.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf%40%3Ccommits.cxf.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3%40%3Ctorque-dev.db.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a%40%3Ctorque-dev.db.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97%40%3Cissues.geode.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f%40%3Cdev.hive.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5%40%3Cissues.hive.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604%40%3Ctorque-dev.db.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf%40%3Cdev.pig.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27%40%3Cyarn-issues.hadoop.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85%40%3Cissues.geode.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e%40%3Cyarn-dev.hadoop.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625%40%3Cissues.geode.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0003/", }, { source: "cve-coordination@google.com", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415", }, { source: "cve-coordination@google.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { source: "cve-coordination@google.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { source: "cve-coordination@google.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "cve-coordination@google.com", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "cve-coordination@google.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/google/guava/issues/4011", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14%40%3Cdev.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54%40%3Cdev.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e%40%3Ccommits.ws.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6%40%3Cyarn-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4%40%3Cdev.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc%40%3Cissues.geode.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6%40%3Ccommits.cxf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27%40%3Cyarn-dev.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44%40%3Cissues.geode.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199%40%3Cyarn-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a%40%3Cdev.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222%40%3Ccommits.ws.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c%40%3Cissues.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09%40%3Cyarn-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3%40%3Cyarn-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322%40%3Cgitbox.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf%40%3Ccommits.cxf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3%40%3Ctorque-dev.db.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a%40%3Ctorque-dev.db.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97%40%3Cissues.geode.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f%40%3Cdev.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5%40%3Cissues.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604%40%3Ctorque-dev.db.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf%40%3Cdev.pig.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27%40%3Cyarn-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85%40%3Cissues.geode.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e%40%3Cyarn-dev.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625%40%3Cissues.geode.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0003/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Patch", "Third Party Advisory", ], url: "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], sourceIdentifier: "cve-coordination@google.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-378", }, ], source: "cve-coordination@google.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-732", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-09-20 10:15
Modified
2024-11-21 08:36
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "F1985AD9-735A-4BBB-8E7B-B3271DC601C0", versionEndExcluding: "2.16.11", vulnerable: true, }, { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "B7A7D975-A081-4FA5-A97A-B430102325ED", versionEndExcluding: "3.2.6", versionStartIncluding: "3.2.0", vulnerable: true, }, { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "F51936A7-39F2-42F4-87C5-D99445652F6B", versionEndExcluding: "3.3.3", versionStartIncluding: "3.3.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:build_of_optaplanner:8.0:*:*:*:*:*:*:*", matchCriteriaId: "1D54F5AE-61EC-4434-9D5F-9394A3979894", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:build_of_quarkus:*:*:*:*:text-only:*:*:*", matchCriteriaId: "ACCC2DC7-4127-4429-BC5B-C555458D790A", versionEndExcluding: "2.13.8", versionStartIncluding: "2.13.0", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:*", matchCriteriaId: "68146098-58F8-417E-B165-5182527117C4", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:integration_camel_k:*:*:*:*:*:*:*:*", matchCriteriaId: "176A2C2D-9397-4238-B803-54F60ED795C8", versionEndExcluding: "1.10.2", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:integration_camel_quarkus:-:*:*:*:*:*:*:*", matchCriteriaId: "F039C746-2001-4EE5-835F-49607A94F12B", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:integration_service_registry:-:*:*:*:*:*:*:*", matchCriteriaId: "EF03BDE8-602D-4DEE-BA5B-5B20FDF47741", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_middleware:1:*:*:*:*:*:*:*", matchCriteriaId: "1F4A0F87-524E-4935-9B07-93793D8143FD", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:*:*:*:*:middleware:*:*", matchCriteriaId: "A0FED4EE-0AE2-4BD8-8DAC-143382E4DB7C", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_serverless:-:*:*:*:*:*:*:*", matchCriteriaId: "77675CB7-67D7-44E9-B7FF-D224B3341AA5", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_serverless:1.0:*:*:*:*:*:*:*", matchCriteriaId: "C18B8793-52C2-46E2-8752-92552AD4A643", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:process_automation_manager:7.0:*:*:*:*:*:*:*", matchCriteriaId: "4857DA21-9127-4F6A-9DA1-96678D9F9472", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:*:*", matchCriteriaId: "0595C9F8-9C7A-4FC1-B7EE-52978A1B1E93", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*", matchCriteriaId: "EA983F8C-3A06-450A-AEFF-9429DE9A3454", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*", matchCriteriaId: "40449571-22F8-44FA-B57B-B43F71AB25E2", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.", }, { lang: "es", value: "Se encontró una falla en Quarkus donde las políticas de seguridad HTTP no sanitiza correctamente ciertas permutaciones de caracteres al aceptar solicitudes, lo que resulta en una evaluación incorrecta de los permisos. Este problema podría permitir que un atacante eluda la política de seguridad por completo, lo que resultaría en un acceso no autorizado al endpoint y posiblemente una Denegación de Servicio.", }, ], id: "CVE-2023-4853", lastModified: "2024-11-21T08:36:06.910", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.9, source: "secalert@redhat.com", type: "Secondary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-09-20T10:15:14.947", references: [ { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:5170", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:5310", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:5337", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:5446", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:5479", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:5480", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:6107", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:6112", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:7653", }, { source: "secalert@redhat.com", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-4853", }, { source: "secalert@redhat.com", tags: [ "Exploit", "Mitigation", "Technical Description", "Vendor Advisory", ], url: "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2238034", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:5170", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:5310", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:5337", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:5446", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:5479", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:5480", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:6107", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:6112", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:7653", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-4853", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Mitigation", "Technical Description", "Vendor Advisory", ], url: "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2238034", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-148", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-863", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-04-13 20:15
Modified
2024-11-21 06:01
Severity ?
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the "sticky" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the "sticky" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://docs.gradle.org/7.0/release-notes.html#security-advisories | Release Notes, Vendor Advisory | |
| security-advisories@github.com | https://github.com/gradle/gradle/pull/15240 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/gradle/gradle/pull/15654 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.gradle.org/7.0/release-notes.html#security-advisories | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gradle/gradle/pull/15240 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gradle/gradle/pull/15654 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336 | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:gradle:gradle:*:*:*:*:*:*:*:*", matchCriteriaId: "1CBD5FF7-3589-474C-8BA7-0385D3E4BC0F", versionEndExcluding: "7.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "EF712520-1CFD-473A-B3F5-3CDDFE9C2C9A", versionEndIncluding: "2.2.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the \"sticky\" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the \"sticky\" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.", }, { lang: "es", value: "En Gradle versiones anteriores a 7.0, en sistemas similares a Unix, el directorio temporal del sistema puede ser creado con permisos abiertos que permiten a varios usuarios crear y eliminar archivos dentro de él. Las compilaciones de Gradle podrían ser vulnerables a una escalada de privilegios local de un atacante que elimine y vuelva a crear rápidamente archivos en el directorio temporal del sistema. Esta vulnerabilidad afectó las compilaciones que usan plugins de script precompilados escritos en Kotlin DSL y pruebas para plugins de Gradle escritos con ProjectBuilder o TestKit. Si tiene Windows o versiones modernas de macOS, no es vulnerable. Si está en un sistema operativo similar a Unix con el bit \"sticky\" configurado en el directorio temporal de su sistema, no es vulnerable. El problema se ha corregido y publicado con Gradle 7.0. Como solución alternativa, en sistemas operativos similares a Unix, asegúrese de que el bit \"sticky\" está establecido. Esto solo permite que el usuario original (o root) elimine un archivo. Si no puede cambiar los permisos del directorio temporal del sistema, puede mover el directorio temporal de Java configurando la propiedad del sistema `java.io.tmpdir`. La nueva ruta debe limitar los permisos solo al usuario de la compilación. Para obtener detalles adicionales, consulte el Aviso de Seguridad de GitHub al que se hace referencia", }, ], id: "CVE-2021-29428", lastModified: "2024-11-21T06:01:04.577", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 3.4, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2, impactScore: 6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-04-13T20:15:21.797", references: [ { source: "security-advisories@github.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://docs.gradle.org/7.0/release-notes.html#security-advisories", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/gradle/gradle/pull/15240", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/gradle/gradle/pull/15654", }, { source: "security-advisories@github.com", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://docs.gradle.org/7.0/release-notes.html#security-advisories", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/gradle/gradle/pull/15240", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/gradle/gradle/pull/15654", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-378", }, { lang: "en", value: "CWE-379", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-01-19 12:15
Modified
2024-11-21 06:44
Severity ?
Summary
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oracle | mysql_connectors | * | |
| quarkus | quarkus | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:mysql_connectors:*:*:*:*:*:*:*:*", matchCriteriaId: "6C45263D-F272-43ED-9D16-0AD7D43AAA9C", versionEndIncluding: "8.0.27", versionStartIncluding: "8.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "00DB1A4B-0ED9-4988-ADCA-FBFA552DDA49", versionEndExcluding: "2.7.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).", }, { lang: "es", value: "Una vulnerabilidad en el producto MySQL Connectors de Oracle MySQL (componente: Connector/J). Las versiones compatibles que están afectadas son 8.0.27 y anteriores. Una vulnerabilidad difícil de explotar permite a un atacante muy privilegiado con acceso a la red por medio de múltiples protocolos comprometer los Conectores de MySQL. Los ataques con éxito de esta vulnerabilidad pueden resultar en la toma de control de los Conectores MySQL. CVSS 3.1, Puntuación base 6.6 (impactos de confidencialidad, integridad y disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)", }, ], id: "CVE-2022-21363", lastModified: "2024-11-21T06:44:31.217", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.6, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 0.7, impactScore: 5.9, source: "secalert_us@oracle.com", type: "Secondary", }, ], }, published: "2022-01-19T12:15:15.680", references: [ { source: "secalert_us@oracle.com", tags: [ "Vendor Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], sourceIdentifier: "secalert_us@oracle.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-05-06 14:15
Modified
2024-11-21 04:55
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | hibernate_validator | * | |
| redhat | hibernate_validator | * | |
| redhat | hibernate_validator | 7.0.0 | |
| ibm | websphere_application_server | * | |
| redhat | jboss_enterprise_application_platform | 7.2.0 | |
| redhat | jboss_enterprise_application_platform | 7.3.0 | |
| redhat | enterprise_linux | 6.0 | |
| redhat | enterprise_linux | 7.0 | |
| redhat | enterprise_linux | 8.0 | |
| redhat | satellite | 6.8 | |
| redhat | satellite_capsule | 6.8 | |
| quarkus | quarkus | * | |
| oracle | weblogic_server | 14.1.1.0.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:hibernate_validator:*:*:*:*:*:*:*:*", matchCriteriaId: "BC03ED08-C2B3-4871-9217-39EDDF6314E9", versionEndExcluding: "6.0.20", versionStartIncluding: "5.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:hibernate_validator:*:*:*:*:*:*:*:*", matchCriteriaId: "6DB865C4-682A-4471-9DCC-4AF53FBAF795", versionEndExcluding: "6.1.5", versionStartIncluding: "6.1.2", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:hibernate_validator:7.0.0:alpha1:*:*:*:*:*:*", matchCriteriaId: "CD694646-E837-4704-8E22-4E67F9F7B62C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:*", matchCriteriaId: "5E3A3BE5-0B6D-456C-802B-46DEE26E7E07", versionEndIncluding: "20.0.0.10", versionStartIncluding: "17.0.0.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*", matchCriteriaId: "0952BA1A-5DF9-400F-B01F-C3A398A8A2D4", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.0:*:*:*:*:*:*:*", matchCriteriaId: "8B157A2D-3422-4224-82D9-15AB3B989075", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:satellite:6.8:*:*:*:*:*:*:*", matchCriteriaId: "F44842C9-AC91-400D-BF0D-26E8012BDDCE", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:satellite_capsule:6.8:*:*:*:*:*:*:*", matchCriteriaId: "49E2F8D1-068A-4367-ADE0-32E71D6AA831", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "DAD20C55-1888-477C-923F-B25E8B5CD239", versionEndIncluding: "1.4.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "04BCDC24-4A21-473C-8733-0D9CFB38A752", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.", }, { lang: "es", value: "Se encontró un fallo en Hibernate Validator versión 6.1.2.Final. Un error en el procesador de interpolación de mensajes permite evaluar expresiones EL no válidas como si fueran válidas. Este fallo permite a atacantes omitir los controles de saneamiento de entrada (escape, despojo) que los desarrolladores pueden haber implementado cuando manejan datos controlados por el usuario en mensajes de error.", }, ], id: "CVE-2020-10693", lastModified: "2024-11-21T04:55:52.060", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "secalert@redhat.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-05-06T14:15:10.753", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10693", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "secalert@redhat.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-20", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2023-02-23 20:15
Modified
2024-11-21 07:36
Severity ?
Summary
If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2023-0044 | Third Party Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2158081 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2023-0044 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2158081 | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quarkus | quarkus | * | |
| redhat | build_of_quarkus | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "9CDB1115-A9F5-46F0-AB03-BBEFD72FA293", versionEndExcluding: "2.13.7", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*", matchCriteriaId: "CE29B9D6-63DC-4779-ACE8-4E51E6A0AF37", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.", }, ], id: "CVE-2023-0044", lastModified: "2024-11-21T07:36:27.050", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-02-23T20:15:12.823", references: [ { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-0044", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-0044", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-06-04 16:15
Modified
2024-11-21 05:01
Severity ?
Summary
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| postgresql | postgresql_jdbc_driver | * | |
| quarkus | quarkus | * | |
| netapp | steelstore_cloud_integrated_storage | - | |
| fedoraproject | fedora | 32 | |
| debian | debian_linux | 10.0 | |
| debian | debian_linux | 11.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:*", matchCriteriaId: "C8345E93-0BD6-49FB-A82C-219E72541536", versionEndExcluding: "42.2.13", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "2A9BF484-A446-4315-B748-F4723622C464", versionEndIncluding: "1.5.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*", matchCriteriaId: "E94F7F59-1785-493F-91A7-5F5EA5E87E4D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", matchCriteriaId: "36D96259-24BD-44E2-96D9-78CE1D41F956", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.", }, { lang: "es", value: "PostgreSQL JDBC Driver (también se conoce como PgJDBC) versiones anteriores a 42.2.13, permite un ataque de tipo XXE", }, ], id: "CVE-2020-13692", lastModified: "2024-11-21T05:01:44.940", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-06-04T16:15:12.657", references: [ { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65", }, { source: "cve@mitre.org", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.13", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r00bcc6b2da972e0d6332a4ebc7807e17305d8b8e7fb2ae63d2a3cbfb%40%3Ccommits.camel.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r01ae1b3d981cf2e563e9b5b0a6ea54fb3cac8e9a0512ee5269e3420e%40%3Ccommits.camel.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r0478a1aa9ae0dbd79d8f7b38d0d93fa933ac232e2b430b6f31a103c0%40%3Ccommits.camel.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r1aae77706aab7d89b4fe19be468fc3c73e9cc84ff79cc2c3bd07c05a%40%3Ccommits.camel.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r4bdea189c9991aae7a929d28f575ec46e49ed3d68fa5235825f38a4f%40%3Cnotifications.netbeans.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r631f967db6260d6178740a3314a35d9421facd8212e62320275fa78e%40%3Ccommits.camel.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/r7f6d019839df17646ffd0046a99146cacf40492a6c92078f65fd32e0%40%3Ccommits.camel.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/rb89f92aba44f524d5c270e0c44ca7aec4704691c37fe106cf73ec977%40%3Cnotifications.netbeans.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.apache.org/thread.html/rfe363bf3a46d440ad57fd05c0e313025c7218364bbdc5fd8622ea7ae%40%3Ccommits.camel.apache.org%3E", }, { source: "cve@mitre.org", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCCAPM6FSNOC272DLSNQ6YHXS3OMHGJC/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20200619-0005/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5196", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.13", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r00bcc6b2da972e0d6332a4ebc7807e17305d8b8e7fb2ae63d2a3cbfb%40%3Ccommits.camel.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r01ae1b3d981cf2e563e9b5b0a6ea54fb3cac8e9a0512ee5269e3420e%40%3Ccommits.camel.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r0478a1aa9ae0dbd79d8f7b38d0d93fa933ac232e2b430b6f31a103c0%40%3Ccommits.camel.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r1aae77706aab7d89b4fe19be468fc3c73e9cc84ff79cc2c3bd07c05a%40%3Ccommits.camel.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r4bdea189c9991aae7a929d28f575ec46e49ed3d68fa5235825f38a4f%40%3Cnotifications.netbeans.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r631f967db6260d6178740a3314a35d9421facd8212e62320275fa78e%40%3Ccommits.camel.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r7f6d019839df17646ffd0046a99146cacf40492a6c92078f65fd32e0%40%3Ccommits.camel.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb89f92aba44f524d5c270e0c44ca7aec4704691c37fe106cf73ec977%40%3Cnotifications.netbeans.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rfe363bf3a46d440ad57fd05c0e313025c7218364bbdc5fd8622ea7ae%40%3Ccommits.camel.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCCAPM6FSNOC272DLSNQ6YHXS3OMHGJC/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20200619-0005/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5196", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-611", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-05-13 19:15
Modified
2024-11-21 05:11
Severity ?
Summary
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714 | Issue Tracking, Vendor Advisory | |
| secalert@redhat.com | https://github.com/keycloak/keycloak/pull/7053 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/keycloak/keycloak/pull/7053 | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | keycloak | * | |
| redhat | decision_manager | 7.0 | |
| redhat | jboss_fuse | 7.0.0 | |
| redhat | openshift_application_runtimes | - | |
| redhat | process_automation | 7.0 | |
| redhat | single_sign-on | 7.0 | |
| quarkus | quarkus | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*", matchCriteriaId: "255305D5-BC40-46ED-9937-1904D210885F", versionEndExcluding: "11.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:*", matchCriteriaId: "68146098-58F8-417E-B165-5182527117C4", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*", matchCriteriaId: "B40CCE4F-EA2C-453D-BB76-6388767E5C6D", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*", matchCriteriaId: "A33441B3-B301-426C-A976-08CE5FE72EFB", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*", matchCriteriaId: "20A6B40D-F991-4712-8E30-5FE008505CB7", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", matchCriteriaId: "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "DAD20C55-1888-477C-923F-B25E8B5CD239", versionEndIncluding: "1.4.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.", }, { lang: "es", value: "Se detectó un fallo en Keycloak versiones anteriores a 11.0.0, donde la base de código contiene usos de la función ObjectInputStream sin ningún tipo de comprobaciones. Este fallo permite a un atacante inyectar Objetos Java serializados arbitrariamente, que luego se deserializarán en un contexto privilegiado y conlleva potencialmente a una ejecución de código remota.", }, ], id: "CVE-2020-1714", lastModified: "2024-11-21T05:11:13.600", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 1.6, impactScore: 5.9, source: "secalert@redhat.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-05-13T19:15:11.987", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/keycloak/keycloak/pull/7053", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/keycloak/keycloak/pull/7053", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-20", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-12-03 17:15
Modified
2024-11-21 05:18
Severity ?
Summary
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*", matchCriteriaId: "2C23395F-4438-4B80-9DA6-87E760F7459A", versionEndExcluding: "2.6.7.4", versionStartIncluding: "2.6.0", vulnerable: true, }, { criteria: "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*", matchCriteriaId: "7703D07D-5784-47D1-9391-D376A24D7C5A", versionEndExcluding: "2.9.10.7", versionStartIncluding: "2.9.0", vulnerable: true, }, { criteria: "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*", matchCriteriaId: "28C07803-813B-4AAC-9C08-9EB83756F16B", versionEndExcluding: "2.10.5.1", versionStartIncluding: "2.10.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*", matchCriteriaId: "5EC98B22-FFAA-4B59-8E63-EBAA4336AD13", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*", matchCriteriaId: "7081652A-D28B-494E-94EF-CA88117F23EE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", matchCriteriaId: "36D96259-24BD-44E2-96D9-78CE1D41F956", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "ADFFB9C4-DE43-4ADC-B1C7-6F034741D9C3", versionEndIncluding: "1.6.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:iotdb:*:*:*:*:*:*:*:*", matchCriteriaId: "8C798AD5-AAF5-4044-B348-336F4CFA86CF", versionEndExcluding: "0.12.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*", matchCriteriaId: "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.6:*:*:*:*:e-business_suite:*:*", matchCriteriaId: "5B62CB3B-FDDF-4AFF-A47E-6ADE6504D451", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:*:*:*:*:*:*:*:*", matchCriteriaId: "6DF2D056-3118-4C31-BEDD-69F016898CBB", versionEndIncluding: "18.3", versionStartIncluding: "18.1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*", matchCriteriaId: "CF34B11F-3DE1-4C22-8EB1-AEE5CE5E4172", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*", matchCriteriaId: "86F03B63-F922-45CD-A7D1-326DB0042875", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*", matchCriteriaId: "7CBFC93F-8B39-45A2-981C-59B187169BD4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*", matchCriteriaId: "0843465C-F940-4FFC-998D-9A2668B75EA0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*", matchCriteriaId: "132CE62A-FBFC-4001-81EC-35D81F73AF48", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*", matchCriteriaId: "282150FF-C945-4A3E-8A80-E8757A8907EA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*", matchCriteriaId: "645AA3D1-C8B5-4CD2-8ACE-31541FA267F0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_platform:2.8.0:*:*:*:*:*:*:*", matchCriteriaId: "FBCE22C0-4253-40A5-89AE-499A3BC9EFF3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*", matchCriteriaId: "AB9FC9AB-1070-420F-870E-A5EC43A924A4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_platform:2.10.0:*:*:*:*:*:*:*", matchCriteriaId: "3C5C28ED-C5AA-40B9-9B26-6A91D20B3E1A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_treasury_management:4.4:*:*:*:*:*:*:*", matchCriteriaId: "180F3D2A-7E7A-4DE9-9792-942CB3D6B51E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*", matchCriteriaId: "D0DBC938-A782-433F-8BF1-CA250C332AA7", versionEndExcluding: "21.1.2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "2FF57C7A-92C9-4D71-A7B1-CC9DEFAA8193", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "5FA64A1D-34F9-4441-857A-25C165E6DBB6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:commerce_platform:*:*:*:*:*:*:*:*", matchCriteriaId: "F012E976-E219-46C2-8177-60ED859594BE", versionEndIncluding: "11.3.2", versionStartIncluding: "11.3.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:commerce_platform:11.2.0:*:*:*:*:*:*:*", matchCriteriaId: "21BEF2FC-89B8-4D97-BB3A-C1ECA19D03B5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5.0.23.0:*:*:*:*:*:*:*", matchCriteriaId: "790A89FD-6B86-49AE-9B4F-AE7262915E13", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*", matchCriteriaId: "E39D442D-1997-49AF-8B02-5640BE2A26CC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "AB1BC31C-6016-42A8-9517-2FBBC92620CC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_convergent_charging_controller:12.0.4.0.0:*:*:*:*:*:*:*", matchCriteriaId: "4012B512-DB7D-476A-93A6-51054DD6E3D0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*", matchCriteriaId: "987811D5-DA5E-493D-8709-F9231A84E5F9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*", matchCriteriaId: "C4A94B36-479F-48F2-9B9E-ACEA2589EF48", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:*:*:*:*:*:*:*", matchCriteriaId: "46E23F2E-6733-45AF-9BD9-1A600BD278C8", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*", matchCriteriaId: "E812639B-EE28-4C68-9F6F-70C8BF981C86", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_network_charging_and_control:12.0.4.0.0:*:*:*:*:*:*:*", matchCriteriaId: "28AD22B9-A037-419C-8D72-8B062E6882FE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3:*:*:*:*:*:*:*", matchCriteriaId: "A23B00C1-878A-4B55-B87B-EFFFA6A5E622", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.4.0:*:*:*:*:*:*:*", matchCriteriaId: "A28F42F0-FBDA-4574-AD30-7A04F27FEA3E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*", matchCriteriaId: "062E4E7C-55BB-46F3-8B61-5A663B565891", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*", matchCriteriaId: "A7637F8B-15F1-42E2-BE18-E1FF7C66587D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:goldengate_application_adapters:19.1.0.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E7BE0590-31BD-4FCD-B50E-A5F86196F99E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:health_sciences_empirica_signal:9.0:*:*:*:*:*:*:*", matchCriteriaId: "2051BA9E-E635-47D5-B942-8AC26E9487CB", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:health_sciences_empirica_signal:9.1:*:*:*:*:*:*:*", matchCriteriaId: "9EA81FC1-63E1-479F-941C-930351E43010", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration:*:*:*:*:*:*:*:*", matchCriteriaId: "1DDB3D8B-1D04-4345-BB27-723186719CBD", versionEndIncluding: "11.3.0", versionStartIncluding: "11.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:*:*:*:*:*:*:*", matchCriteriaId: "0F89EC4B-6D34-40F0-B7C6-C03D03F81C13", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:*:*:*:*:*:*:*:*", matchCriteriaId: "5DEAB5CD-4223-4A43-AB9E-486113827A6C", versionEndIncluding: "11.3.0", versionStartIncluding: "11.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*", matchCriteriaId: "F3E25293-CB03-44CE-A8ED-04B3A0487A6A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*", matchCriteriaId: "A0A366B8-1B5C-4C9E-A761-1AB1547D7404", versionEndExcluding: "9.2.5.3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", matchCriteriaId: "4BCA7DD9-8599-4E43-9D82-999BE15483B9", versionEndExcluding: "9.2.5.3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", matchCriteriaId: "6951D244-845C-4BF2-AC75-F226B0C39C77", versionEndIncluding: "17.12", versionStartIncluding: "17.7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", matchCriteriaId: "8B1C88FD-C2EC-4C96-AC7E-6F95C8763B48", versionEndIncluding: "17.12.11", versionStartIncluding: "17.12.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", matchCriteriaId: "53E2276C-9515-46F6-A621-213A3047B9A6", versionEndIncluding: "18.8.11", versionStartIncluding: "18.8.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", matchCriteriaId: "3EF7E2B4-B741-41E9-8EF6-6C415AB9EF54", versionEndIncluding: "19.12.10", versionStartIncluding: "19.12.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_gateway:20.12.0:*:*:*:*:*:*:*", matchCriteriaId: "4A932C79-8646-4023-9C12-9C7A2A6840EC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*", matchCriteriaId: "E702EBED-DB39-4084-84B1-258BC5FE7545", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*", matchCriteriaId: "3F7956BF-D5B6-484B-999C-36B45CD8B75B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*", matchCriteriaId: "DEE71EA5-B315-4F1E-BFEE-EC426B562F7E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*", matchCriteriaId: "490B2C44-CECD-4551-B04F-4076D0E053C7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*", matchCriteriaId: "DEC41EB8-73B4-4BDF-9321-F34EC0BAF9E6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*", matchCriteriaId: "48EFC111-B01B-4C34-87E4-D6B2C40C0122", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*", matchCriteriaId: "073FEA23-E46A-4C73-9D29-95CFF4F5A59D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*", matchCriteriaId: "A69FB468-EAF3-4E67-95E7-DF92C281C1F1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*", matchCriteriaId: "77E39D5C-5EFA-4FEB-909E-0A92004F2563", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:utilities_framework:4.3.0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "A5BBA303-8D2B-48C5-B52A-4E192166699C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:*", matchCriteriaId: "8DF02546-3F0D-4FDD-89B1-8A3FE43FB5BF", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*", matchCriteriaId: "3F906F04-39E4-4BE4-8A73-9D058AAADB43", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*", matchCriteriaId: "7B393A82-476A-4270-A903-38ED4169E431", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*", matchCriteriaId: "85CAE52B-C2CA-4C6B-A0B7-2B9D6F0499E2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "D6A4F71A-4269-40FC-8F61-1D1301F2B728", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "5A502118-5B2B-47AE-82EC-1999BD841103", vulnerable: true, }, { criteria: "cpe:2.3:o:oracle:communications_messaging_server:8.0.2:*:*:*:*:*:*:*", matchCriteriaId: "E819270D-AA7D-4B0E-990B-D25AB6E46FBC", vulnerable: true, }, { criteria: "cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*", matchCriteriaId: "7569C0BD-16C1-441E-BAEB-840C94BE73EF", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.", }, { lang: "es", value: "Se encontró un fallo en FasterXML Jackson Databind, donde no tenía la expansión de entidad asegurada apropiadamente. Este fallo permite una vulnerabilidad a ataques de tipo XML external entity (XXE). La mayor amenaza de esta vulnerabilidad es la integridad de los datos", }, ], id: "CVE-2020-25649", lastModified: "2024-11-21T05:18:20.343", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-12-03T17:15:12.503", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1887664", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/FasterXML/jackson-databind/issues/2589", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386%40%3Ccommits.turbine.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949%40%3Cissues.hive.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d%40%3Cissues.hive.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb%40%3Cissues.zookeeper.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6%40%3Cjira.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1%40%3Cjira.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda%40%3Ccommits.druid.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1%40%3Cdev.hive.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7%40%3Cissues.hive.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb%40%3Ccommits.karaf.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b%40%3Cissues.hive.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd%40%3Cissues.flink.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd%40%3Cissues.hive.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71%40%3Cjira.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042%40%3Creviews.iotdb.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956%40%3Cjira.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61%40%3Cdev.knox.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc%40%3Cissues.hive.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304%40%3Cdev.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304%40%3Cusers.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb%40%3Creviews.iotdb.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07%40%3Ccommits.iotdb.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8%40%3Cnotifications.iotdb.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e%40%3Cjira.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60%40%3Creviews.iotdb.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3%40%3Cuser.spark.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080%40%3Cdev.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080%40%3Cusers.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524%40%3Cissues.hive.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0%40%3Cdev.zookeeper.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c%40%3Cissues.zookeeper.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22%40%3Ccommits.karaf.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a%40%3Ccommits.tomee.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54%40%3Cissues.zookeeper.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130%40%3Cjira.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00%40%3Cissues.hive.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3%40%3Cissues.flink.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b%40%3Cjira.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604%40%3Cissues.zookeeper.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2%40%3Cjira.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb%40%3Cdev.knox.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54%40%3Cjira.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d%40%3Cjira.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34%40%3Cissues.hive.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3%40%3Cissues.zookeeper.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1%40%3Cissues.hive.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1%40%3Ccommits.karaf.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca%40%3Cjira.kafka.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402%40%3Ccommits.karaf.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT/", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210108-0007/", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1887664", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/FasterXML/jackson-databind/issues/2589", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386%40%3Ccommits.turbine.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949%40%3Cissues.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d%40%3Cissues.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda%40%3Ccommits.druid.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1%40%3Cdev.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7%40%3Cissues.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83%40%3Ccommits.servicecomb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb%40%3Ccommits.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b%40%3Cissues.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd%40%3Cissues.flink.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd%40%3Cissues.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042%40%3Creviews.iotdb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61%40%3Cdev.knox.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc%40%3Cissues.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304%40%3Cdev.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304%40%3Cusers.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb%40%3Creviews.iotdb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4%40%3Cnotifications.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07%40%3Ccommits.iotdb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8%40%3Cnotifications.iotdb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60%40%3Creviews.iotdb.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3%40%3Cuser.spark.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080%40%3Cdev.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080%40%3Cusers.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524%40%3Cissues.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0%40%3Cdev.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22%40%3Ccommits.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a%40%3Ccommits.tomee.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00%40%3Cissues.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3%40%3Cissues.flink.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb%40%3Cdev.knox.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34%40%3Cissues.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3%40%3Cissues.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1%40%3Cissues.hive.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc%40%3Ccommits.zookeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1%40%3Ccommits.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca%40%3Cjira.kafka.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402%40%3Ccommits.karaf.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210108-0007/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-611", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-611", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-01-25 19:15
Modified
2024-12-04 08:15
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "6B27FE57-901A-496C-B2C1-F647C91E7B51", versionEndExcluding: "2.13.9", vulnerable: true, }, { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "BDE831ED-C431-4CCF-AB2D-67BBC88FAE4D", versionEndExcluding: "3.2.9", versionStartIncluding: "3.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:quarkus:quarkus:2.13.9:-:*:*:*:*:*:*", matchCriteriaId: "AF6EB005-F254-47A9-B963-E1AD508F55FB", vulnerable: true, }, { criteria: "cpe:2.3:a:quarkus:quarkus:3.2.9:-:*:*:*:*:*:*", matchCriteriaId: "DCA0123C-E209-4037-A021-A3B95305A453", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.", }, { lang: "es", value: "Se encontró un fallo en el payload json. Si se utiliza seguridad basada en anotaciones para proteger un recurso REST, el cuerpo JSON que el recurso puede consumir se procesa (deserializa) antes de que se evalúen y apliquen las restricciones de seguridad. Esto no sucede con la seguridad basada en configuración.", }, ], id: "CVE-2023-6267", lastModified: "2024-12-04T08:15:05.740", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 4.7, source: "secalert@redhat.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-01-25T19:15:08.260", references: [ { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2024:0494", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2024:0495", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-6267", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2251155", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2024:0494", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2024:0495", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-6267", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2251155", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-755", }, ], source: "secalert@redhat.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-755", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2021-05-26 22:15
Modified
2024-11-21 05:59
Severity ?
Summary
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| emo@eclipse.org | https://github.com/eclipse-ee4j/el-ri/issues/155 | Exploit, Issue Tracking, Third Party Advisory | |
| emo@eclipse.org | https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/ | Exploit, Third Party Advisory | |
| emo@eclipse.org | https://www.oracle.com/security-alerts/cpuapr2022.html | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/eclipse-ee4j/el-ri/issues/155 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.oracle.com/security-alerts/cpuapr2022.html | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| eclipse | jakarta_expression_language | * | |
| quarkus | quarkus | * | |
| oracle | communications_cloud_native_core_policy | 1.14.0 | |
| oracle | weblogic_server | 14.1.1.0.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:eclipse:jakarta_expression_language:*:*:*:*:*:*:*:*", matchCriteriaId: "9D4D9319-3396-43B2-8466-D9C40E2D4680", versionEndIncluding: "3.0.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "BB0158D3-CF4B-4355-8F33-D57BFC1C0398", versionEndExcluding: "2.3.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*", matchCriteriaId: "4479F76A-4B67-41CC-98C7-C76B81050F8E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "04BCDC24-4A21-473C-8733-0D9CFB38A752", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.", }, { lang: "es", value: "En la implementación de Jakarta Expression Language versiones 3.0.3 y anteriores, un bug en la función ELParserTokenManager permite que las expresiones EL no válidas sean evaluadas como si fueran válidas", }, ], id: "CVE-2021-28170", lastModified: "2024-11-21T05:59:14.993", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-05-26T22:15:07.980", references: [ { source: "emo@eclipse.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/eclipse-ee4j/el-ri/issues/155", }, { source: "emo@eclipse.org", tags: [ "Exploit", "Third Party Advisory", ], url: "https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/", }, { source: "emo@eclipse.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/eclipse-ee4j/el-ri/issues/155", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, ], sourceIdentifier: "emo@eclipse.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "emo@eclipse.org", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-917", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-12-06 19:15
Modified
2025-04-14 18:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no ReadableStream object used in the request.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2022-4147 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2022-4147 | Vendor Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "258F3A5C-C12A-4F88-9F60-EF293D9C00DA", versionEndExcluding: "2.13.5", versionStartIncluding: "2.0", vulnerable: true, }, { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "90C2280D-5F0E-4E86-BA5B-0121A284B836", versionEndExcluding: "2.14.2", versionStartIncluding: "2.14.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no ReadableStream object used in the request.", }, { lang: "es", value: "El filtro Quarkus CORS permite que continúen solicitudes GET y POST simples con origen no válido. Las solicitudes GET o POST simples realizadas con XMLHttpRequest son aquellas que no tienen detectores de eventos registrados en el objeto devuelto por la propiedad de carga XMLHttpRequest y no tienen ningún objeto ReadableStream utilizado en la solicitud.", }, ], id: "CVE-2022-4147", lastModified: "2025-04-14T18:15:25.110", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 5.9, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2022-12-06T19:15:10.613", references: [ { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2022-4147", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2022-4147", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-1026", }, ], source: "secalert@redhat.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-10-19 15:15
Modified
2024-11-21 06:14
Severity ?
Summary
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", matchCriteriaId: "FF41DE29-2A17-4085-9F00-811E461E36EC", versionEndExcluding: "4.1.68", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:banking_apis:*:*:*:*:*:*:*:*", matchCriteriaId: "6DF2D056-3118-4C31-BEDD-69F016898CBB", versionEndIncluding: "18.3", versionStartIncluding: "18.1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*", matchCriteriaId: "CF34B11F-3DE1-4C22-8EB1-AEE5CE5E4172", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*", matchCriteriaId: "86F03B63-F922-45CD-A7D1-326DB0042875", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*", matchCriteriaId: "7CBFC93F-8B39-45A2-981C-59B187169BD4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*", matchCriteriaId: "0843465C-F940-4FFC-998D-9A2668B75EA0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*", matchCriteriaId: "BBE7BF09-B89C-4590-821E-6C0587E096B5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*", matchCriteriaId: "ADAE8A71-0BCD-42D5-B38C-9B2A27CC1E6B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*", matchCriteriaId: "E7231D2D-4092-44F3-B60A-D7C9ED78AFDF", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*", matchCriteriaId: "F7BDFC10-45A0-46D8-AB92-4A5E2C1C76ED", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*", matchCriteriaId: "18127694-109C-4E7E-AE79-0BA351849291", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*", matchCriteriaId: "33F68878-BC19-4DB8-8A72-BD9FE3D0ACEC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*", matchCriteriaId: "0D6895A6-511A-4DC6-9F9B-58E05B86BDB1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*", matchCriteriaId: "2A3622F5-5976-4BBC-A147-FC8A6431EA79", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:*", matchCriteriaId: "6894D860-000E-439D-8AB7-07E9B2ACC31B", versionEndExcluding: "12.0.0.4.6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "FD66C717-85E0-40E7-A51F-549C8196D557", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*", matchCriteriaId: "B6B6FE82-7BFA-481D-99D6-789B146CA18B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", matchCriteriaId: "590ADE5F-0D0F-4576-8BA6-828758823442", versionEndIncluding: "8.5.0.2", versionStartIncluding: "8.0.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", matchCriteriaId: "7E1E416B-920B-49A0-9523-382898C2979D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*", matchCriteriaId: "C8AF00C6-B97F-414D-A8DF-057E6BFD8597", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "D6A4F71A-4269-40FC-8F61-1D1301F2B728", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "5A502118-5B2B-47AE-82EC-1999BD841103", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "6677F86F-5933-460E-B978-23A4C1407CB0", versionEndExcluding: "2.2.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", matchCriteriaId: "F1BE6C1F-2565-4E97-92AA-16563E5660A5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.", }, { lang: "es", value: "La función Snappy frame decoder no restringe la longitud de los trozos, lo que puede conllevar a un uso excesivo de memoria. Además, también puede almacenar en el búfer trozos omitibles reservados hasta que se reciba el trozo completo, lo que también puede conllevar a un uso excesivo de memoria. Esta vulnerabilidad puede desencadenarse al suministrar una entrada maliciosa que se descomprime a un tamaño muy grande (por medio de un flujo de red o un archivo) o mediante el envío de un trozo omitido enorme", }, ], id: "CVE-2021-37137", lastModified: "2024-11-21T06:14:43.073", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-10-19T15:15:07.757", references: [ { source: "reefs@jfrog.com", tags: [ "Third Party Advisory", ], url: "https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363", }, { source: "reefs@jfrog.com", url: "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E", }, { source: "reefs@jfrog.com", url: "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E", }, { source: "reefs@jfrog.com", url: "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E", }, { source: "reefs@jfrog.com", url: "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E", }, { source: "reefs@jfrog.com", url: "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E", }, { source: "reefs@jfrog.com", url: "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E", }, { source: "reefs@jfrog.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html", }, { source: "reefs@jfrog.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0012/", }, { source: "reefs@jfrog.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2023/dsa-5316", }, { source: "reefs@jfrog.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "reefs@jfrog.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "reefs@jfrog.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0012/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2023/dsa-5316", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], sourceIdentifier: "reefs@jfrog.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "reefs@jfrog.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-400", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-09-18 19:15
Modified
2024-11-21 05:18
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25633 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25633 | Issue Tracking, Vendor Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:resteasy:*:*:*:*:*:*:*:*", matchCriteriaId: "27485916-36BB-4E37-BA15-97F6B349AE76", versionEndExcluding: "3.14.0", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:resteasy:*:*:*:*:*:*:*:*", matchCriteriaId: "9E5E7D12-6900-4E56-BA10-EE19CF8BD9C3", versionEndIncluding: "4.5.6", versionStartIncluding: "4.5.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "9495583C-505E-4AAB-BE79-1EBAC1DB247B", versionEndIncluding: "1.11.6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.", }, { lang: "es", value: "Se encontró un fallo en el cliente RESTEasy en todas las versiones de RESTEasy hasta 4.5.6.Final. Puede permitir a usuarios del cliente obtener información potencialmente confidencial del servidor cuando el servidor obtuvo una WebApplicationException de la llamada del cliente RESTEasy. La mayor amenaza de esta vulnerabilidad es la confidencialidad de los datos", }, ], id: "CVE-2020-25633", lastModified: "2024-11-21T05:18:17.520", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "secalert@redhat.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-09-18T19:15:16.340", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25633", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25633", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-209", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-209", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-08-31 16:15
Modified
2024-11-21 07:01
Severity ?
Summary
It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://github.com/quarkusio/quarkus/issues/26748 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/quarkusio/quarkus/issues/26748 | Exploit, Issue Tracking, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "10673B6C-4242-4C0A-9CC2-888ACF185D66", versionEndExcluding: "2.10.4", versionStartIncluding: "2.10.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior.", }, { lang: "es", value: "Se ha detectado que Quarkus versión 2.10.x, no termina el contexto de el encabezado de las peticiones HTTP, lo que puede conllevar a un comportamiento imprevisible", }, ], id: "CVE-2022-2466", lastModified: "2024-11-21T07:01:02.833", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-08-31T16:15:10.943", references: [ { source: "secalert@redhat.com", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/quarkusio/quarkus/issues/26748", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/quarkusio/quarkus/issues/26748", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-444", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-444", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-11-22 19:15
Modified
2025-04-29 17:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2022-4116 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2022-4116 | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*", matchCriteriaId: "CE29B9D6-63DC-4779-ACE8-4E51E6A0AF37", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "DCB3AE2B-D316-41BD-B3C5-BEBA5D6F37AC", versionEndExcluding: "2.13.5", vulnerable: true, }, { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "90C2280D-5F0E-4E86-BA5B-0121A284B836", versionEndExcluding: "2.14.2", versionStartIncluding: "2.14.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.", }, { lang: "es", value: "Se encontró una vulnerabilidad en los quarkus. Esta falla de seguridad ocurre en Dev UI Config Editor, que es vulnerable a ataques de host local que conducen a la ejecución remota de código.", }, ], id: "CVE-2022-4116", lastModified: "2025-04-29T17:15:38.553", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2022-11-22T19:15:18.213", references: [ { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2022-4116", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2022-4116", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-10-02 05:15
Modified
2024-11-21 07:24
Severity ?
Summary
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| fasterxml | jackson-databind | * | |
| fasterxml | jackson-databind | * | |
| quarkus | quarkus | * | |
| debian | debian_linux | 10.0 | |
| debian | debian_linux | 11.0 | |
| netapp | oncommand_workflow_automation | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*", matchCriteriaId: "0848F177-1977-4C9C-B91A-7374FF25F335", versionEndExcluding: "2.12.7.1", vulnerable: true, }, { criteria: "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*", matchCriteriaId: "2BB48E8E-EB2F-46D1-BD98-982FB3528273", versionEndExcluding: "2.13.4", versionStartIncluding: "2.13.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "5CA36870-3A63-428D-BC49-4924FF75FAAD", versionEndExcluding: "2.13.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", }, { lang: "es", value: "En FasterXML jackson-databind versiones anteriores a 2.13.4, el agotamiento de los recursos puede ocurrir debido a una falta de comprobación en BeanDeserializer._deserializeFromArray para impedir el uso de arrays profundamente anidados. Una aplicación es vulnerable sólo con determinadas opciones personalizadas para la deserialización", }, ], id: "CVE-2022-42004", lastModified: "2024-11-21T07:24:15.277", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-10-02T05:15:09.237", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Mailing List", "Patch", "Third Party Advisory", ], url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88", }, { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/FasterXML/jackson-databind/issues/3582", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202210-21", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20221118-0008/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5283", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Mailing List", "Patch", "Third Party Advisory", ], url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/FasterXML/jackson-databind/issues/3582", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202210-21", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20221118-0008/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5283", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-502", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-10-02 05:15
Modified
2024-11-21 07:24
Severity ?
Summary
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| fasterxml | jackson-databind | * | |
| fasterxml | jackson-databind | * | |
| quarkus | quarkus | * | |
| debian | debian_linux | 10.0 | |
| debian | debian_linux | 11.0 | |
| netapp | oncommand_workflow_automation | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*", matchCriteriaId: "0848F177-1977-4C9C-B91A-7374FF25F335", versionEndExcluding: "2.12.7.1", vulnerable: true, }, { criteria: "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*", matchCriteriaId: "A2BBD219-927A-40F3-9AFE-C6A8E7F3E26B", versionEndExcluding: "2.13.4.1", versionStartIncluding: "2.13.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "DA172A0D-FB5E-4754-BB9F-3DEC3366E6F8", versionEndExcluding: "2.13.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.", }, { lang: "es", value: "En FasterXML jackson-databind anterior a 2.14.0-rc1, puede producirse un agotamiento de recursos debido a la falta de una comprobación en los deserializadores de valores primitivos para evitar el anidamiento de arrays envolventes profundos, cuando la función UNWRAP_SINGLE_VALUE_ARRAYS está activada. Versión de corrección adicional en 2.13.4.1 y 2.12.17.1", }, ], id: "CVE-2022-42003", lastModified: "2024-11-21T07:24:15.093", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-10-02T05:15:09.070", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Mailing List", "Patch", "Third Party Advisory", ], url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020", }, { source: "cve@mitre.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33", }, { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/FasterXML/jackson-databind/issues/3590", }, { source: "cve@mitre.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202210-21", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20221124-0004/", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5283", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Mailing List", "Patch", "Third Party Advisory", ], url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/FasterXML/jackson-databind/issues/3590", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202210-21", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20221124-0004/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5283", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-502", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-07-06 19:15
Modified
2024-11-21 04:27
Severity ?
Summary
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:hibernate:hibernate_orm:*:*:*:*:*:*:*:*", matchCriteriaId: "A0960BC3-6311-47BC-8A26-64352815D61D", versionEndExcluding: "5.3.18", vulnerable: true, }, { criteria: "cpe:2.3:a:hibernate:hibernate_orm:*:*:*:*:*:*:*:*", matchCriteriaId: "DC6F089C-BBE4-4E11-BAC8-3CD6ADE1CA28", versionEndExcluding: "5.4.18", versionStartIncluding: "5.4.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:text-only:*:*:*", matchCriteriaId: "C4724F20-5376-4FB0-8DFA-A75004E2F60D", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:*", matchCriteriaId: "68146098-58F8-417E-B165-5182527117C4", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:fuse:*:*:*:*:*:*:*:*", matchCriteriaId: "BE29E03D-4680-49E1-8DB4-17B2705E9FBF", versionEndExcluding: "7.8.0", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*", matchCriteriaId: "CD354E32-A8B0-484C-B4C6-9FBCD3430D2D", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*", matchCriteriaId: "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:-:*:*:*:*:*:*:*", matchCriteriaId: "434B744A-9665-4340-B02D-7923FCB2B562", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*", matchCriteriaId: "E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*", matchCriteriaId: "704CFA1A-953E-4105-BFBE-406034B83DED", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*", matchCriteriaId: "EB7F358B-5E56-41AB-BB8A-23D3CB7A248B", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*", matchCriteriaId: "341E6313-20D5-44CB-9719-B20585DC5AD6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "2A9BF484-A446-4315-B748-F4723622C464", versionEndIncluding: "1.5.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", matchCriteriaId: "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*", matchCriteriaId: "645A908C-18C2-4AB1-ACE7-3969E3A552A5", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", matchCriteriaId: "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*", matchCriteriaId: "645A908C-18C2-4AB1-ACE7-3969E3A552A5", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", matchCriteriaId: "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", matchCriteriaId: "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", matchCriteriaId: "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", matchCriteriaId: "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", }, { lang: "es", value: "Se encontró un fallo en Hibernate ORM en versiones anteriores a 5.3.18, 5.4.18 y 5.5.0.Beta1. Una inyección SQL en la implementación de la API JPA Criteria puede permitir literales no saneados cuando es usado un literal en las partes de la consulta SELECT o GROUP BY. Este fallo podría permitir a un atacante acceder a información no autorizada o posiblemente conducir a nuevos ataques", }, ], id: "CVE-2019-14900", lastModified: "2024-11-21T04:27:38.783", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-07-06T19:15:12.230", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0020/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0020/", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
var-202110-1706
Vulnerability from variot
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack. No description is available for this CVE. JIRA issues fixed (https://issues.jboss.org/):
LOG-2334 - [release-5.3] Events listing out of order in Kibana 6.8.1 LOG-2450 - http.max_header_size set to 128kb causes communication with elasticsearch to stop working LOG-2481 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.3]
- The purpose of this text-only errata is to inform you about the security issues fixed in this release. Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.4.5 security update on RHEL 7 Advisory ID: RHSA-2022:4918-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2022:4918 Issue date: 2022-06-06 CVE Names: CVE-2020-36518 CVE-2021-37136 CVE-2021-37137 CVE-2021-42392 CVE-2021-43797 CVE-2022-0084 CVE-2022-0853 CVE-2022-0866 CVE-2022-1319 CVE-2022-21299 CVE-2022-21363 CVE-2022-23221 CVE-2022-23437 CVE-2022-23913 CVE-2022-24785 ==================================================================== 1. Summary:
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat JBoss EAP 7.4 for RHEL 7 Server - noarch, x86_64
- Description:
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.4.5 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.4 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.5 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
-
h2: Loading of custom classes from remote servers through JNDI (CVE-2022-23221)
-
jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
-
netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
-
netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
-
h2: Remote Code Execution in Console (CVE-2021-42392)
-
netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)
-
xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)
-
wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866)
-
undertow: Double AJP response for 400 from EAP 7 results in CPING failures (CVE-2022-1319)
-
OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) (CVE-2022-21299)
-
mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors (CVE-2022-21363)
-
xerces-j2: infinite loop when handling specially crafted XML document payloads (CVE-2022-23437)
-
artemis-commons: Apache ActiveMQ Artemis DoS (CVE-2022-23913)
-
Moment.js: Path traversal in moment.locale (CVE-2022-24785)
-
jboss-client: memory leakage in remote client transaction (CVE-2022-0853)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 2039403 - CVE-2021-42392 h2: Remote Code Execution in Console 2041472 - CVE-2022-21299 OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) 2044596 - CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI 2047200 - CVE-2022-23437 xerces-j2: infinite loop when handling specially crafted XML document payloads 2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors 2060725 - CVE-2022-0853 jboss-client: memory leakage in remote client transaction 2060929 - CVE-2022-0866 wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled 2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS 2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale 2073890 - CVE-2022-1319 undertow: Double AJP response for 400 from EAP 7 results in CPING failures
- JIRA issues fixed (https://issues.jboss.org/):
JBEAP-23120 - Tracker bug for the EAP 7.4.5 release for RHEL-7 JBEAP-23171 - (7.4.z) Upgrade HAL from 3.3.9.Final-redhat-00001 to 3.3.12.Final-redhat-00001 JBEAP-23194 - Upgrade hibernate-validator from 6.0.22.Final-redhat-00002 to 6.0.23-redhat-00001 JBEAP-23241 - GSS Upgrade jberet from 1.3.9 to 1.3.9.SP1 JBEAP-23299 - (7.4.z) Upgrade Artemis from 2.16.0.redhat-00034 to 2.16.0.redhat-00042 JBEAP-23300 - GSS Upgrade JBoss Remoting from 5.0.23.SP1 to 5.0.24.SP1 JBEAP-23312 - (7.4.z) Upgrade WildFly Core from 15.0.8.Final-redhat-00001 to 15.0.12.Final-redhat-00001 JBEAP-23313 - (7.4.z) Upgrade Elytron from 1.15.11.Final-redhat-00002 to 1.15.12.Final-redhat-00001 JBEAP-23336 - (7.4.z) Upgrade Hibernate ORM from 5.3.25.Final-redhat-00002 to 5.3.26.Final-redhat-00002 JBEAP-23338 - GSS Upgrade Undertow from 2.2.16 to 2.2.17.SP3 JBEAP-23339 - GSS Upgrade wildfly-http-ejb-client from 1.1.10 to 1.1.11.SP1 JBEAP-23351 - (7.4.z) Upgrade org.apache.logging.log4j from 2.17.1.redhat-00001 to 2.17.1.redhat-00002 JBEAP-23353 - (7.4.z) Upgrade wildfly-transaction-client from 1.1.14.Final-redhat-00001 to 1.1.15.Final-redhat-x JBEAP-23429 - PM JDK17 Update Tested Configurations page and make note in Update release notes JBEAP-23432 - GSS Upgrade JSF API from 3.0.0.SP04 to 3.0.0.SP05 JBEAP-23451 - [PST] (7.4.z) Upgrade to FasterXML Jackson to 2.12.6.redhat-00001 and Jackson Databind to 2.12.6.1.redhat-00003 JBEAP-23531 - GSS Upgrade Undertow from 2.2.17.SP3 to 2.2.17.SP4 JBEAP-23532 - (7.4.z) Upgrade WildFly Core from 15.0.12.Final-redhat-00001 to 15.0.13.Final-redhat-00001
- Package List:
Red Hat JBoss EAP 7.4 for RHEL 7 Server:
Source: eap7-activemq-artemis-2.16.0-9.redhat_00042.1.el7eap.src.rpm eap7-h2database-1.4.197-2.redhat_00004.1.el7eap.src.rpm eap7-hal-console-3.3.12-1.Final_redhat_00001.1.el7eap.src.rpm eap7-hibernate-5.3.26-1.Final_redhat_00002.2.el7eap.src.rpm eap7-hibernate-validator-6.0.23-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jackson-annotations-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jackson-core-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jackson-databind-2.12.6.1-1.redhat_00003.1.el7eap.src.rpm eap7-jackson-jaxrs-providers-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jackson-modules-base-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jackson-modules-java8-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jberet-1.3.9-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP05_redhat_00002.1.el7eap.src.rpm eap7-jboss-remoting-5.0.24-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-jboss-server-migration-1.10.0-16.Final_redhat_00015.1.el7eap.src.rpm eap7-jboss-xnio-base-3.8.7-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-log4j-2.17.1-2.redhat_00002.1.el7eap.src.rpm eap7-netty-4.1.72-4.Final_redhat_00001.1.el7eap.src.rpm eap7-netty-tcnative-2.0.48-1.Final_redhat_00001.1.el7eap.src.rpm eap7-netty-transport-native-epoll-4.1.72-1.Final_redhat_00001.1.el7eap.src.rpm eap7-snakeyaml-1.29.0-1.redhat_00001.2.el7eap.src.rpm eap7-undertow-2.2.17-2.SP4_redhat_00001.1.el7eap.src.rpm eap7-wildfly-7.4.5-3.GA_redhat_00001.1.el7eap.src.rpm eap7-wildfly-elytron-1.15.12-1.Final_redhat_00001.1.el7eap.src.rpm eap7-wildfly-http-client-1.1.11-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-wildfly-transaction-client-1.1.15-1.Final_redhat_00001.1.el7eap.src.rpm eap7-xerces-j2-2.12.0-3.SP04_redhat_00001.1.el7eap.src.rpm
noarch: eap7-activemq-artemis-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-cli-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-commons-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-core-client-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-dto-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-hornetq-protocol-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-hqclient-protocol-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-jdbc-store-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-jms-client-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-jms-server-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-journal-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-ra-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-selector-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-server-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-service-extensions-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-tools-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-h2database-1.4.197-2.redhat_00004.1.el7eap.noarch.rpm eap7-hal-console-3.3.12-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-core-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-entitymanager-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-envers-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-java8-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-validator-6.0.23-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-validator-cdi-6.0.23-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jackson-annotations-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-core-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-databind-2.12.6.1-1.redhat_00003.1.el7eap.noarch.rpm eap7-jackson-datatype-jdk8-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-datatype-jsr310-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-jaxrs-base-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-jaxrs-json-provider-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-module-jaxb-annotations-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-modules-base-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-modules-java8-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jberet-1.3.9-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-jberet-core-1.3.9-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP05_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-remoting-5.0.24-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-server-migration-1.10.0-16.Final_redhat_00015.1.el7eap.noarch.rpm eap7-jboss-server-migration-cli-1.10.0-16.Final_redhat_00015.1.el7eap.noarch.rpm eap7-jboss-server-migration-core-1.10.0-16.Final_redhat_00015.1.el7eap.noarch.rpm eap7-jboss-xnio-base-3.8.7-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-log4j-2.17.1-2.redhat_00002.1.el7eap.noarch.rpm eap7-netty-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-all-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-buffer-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-dns-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-haproxy-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-http-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-http2-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-memcache-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-mqtt-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-redis-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-smtp-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-socks-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-stomp-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-xml-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-common-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-handler-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-handler-proxy-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-dns-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-dns-classes-macos-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-tcnative-2.0.48-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-classes-epoll-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-classes-kqueue-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-native-unix-common-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-rxtx-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-sctp-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-udt-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-snakeyaml-1.29.0-1.redhat_00001.2.el7eap.noarch.rpm eap7-undertow-2.2.17-2.SP4_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-elytron-1.15.12-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-elytron-tool-1.15.12-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-client-common-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-ejb-client-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-naming-client-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-transaction-client-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-java-jdk11-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-java-jdk8-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-javadocs-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-modules-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-transaction-client-1.1.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-xerces-j2-2.12.0-3.SP04_redhat_00001.1.el7eap.noarch.rpm
x86_64: eap7-netty-transport-native-epoll-4.1.72-1.Final_redhat_00001.1.el7eap.x86_64.rpm eap7-netty-transport-native-epoll-debuginfo-4.1.72-1.Final_redhat_00001.1.el7eap.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2021-37136 https://access.redhat.com/security/cve/CVE-2021-37137 https://access.redhat.com/security/cve/CVE-2021-42392 https://access.redhat.com/security/cve/CVE-2021-43797 https://access.redhat.com/security/cve/CVE-2022-0084 https://access.redhat.com/security/cve/CVE-2022-0853 https://access.redhat.com/security/cve/CVE-2022-0866 https://access.redhat.com/security/cve/CVE-2022-1319 https://access.redhat.com/security/cve/CVE-2022-21299 https://access.redhat.com/security/cve/CVE-2022-21363 https://access.redhat.com/security/cve/CVE-2022-23221 https://access.redhat.com/security/cve/CVE-2022-23437 https://access.redhat.com/security/cve/CVE-2022-23913 https://access.redhat.com/security/cve/CVE-2022-24785 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYp5qBdzjgjWX9erEAQgudg/+KIuaXQZawyOnSNF4IIR8WYnfcW8Ojsfk 27VFNY6WCSn07IkzyDFuCLHsmUEesiJvpYssOx4CuX1YEmlF7S/KepyI6QDVC+BV hFAfaVE1gdrny1sqaS8k4VFE9rHODML1q2yyeUNgdtL4YGdOeduqOEn6Q6GS/rvh +8vCZFkFb9QKxxItc1xvxvU8kAomQun+eqr040IHuF0jAZfLI18/5vzsPqeQG+Ua qU4CG5FucVytEkJCnQ8Ci3QH3FCm/BPqotyhO3OAi1b5+db+fT+UqJpiuHYCsPcQ 8DRKizi/ia6Rq5b/OTFodA8lo6U3nDIljJ7QcuADgGzX4fak+BxQNkQMfhS4/b01 /yFU034PmQBTJpm0r5Vb4V4lBWzAi5QMDttI4wncuM3VGbxSoEEXzdzFHVzgoy1r qDGfJ1C5VnSJeLawDa6tGyndBiVga/PPgx0CoSIPsAYnjXYfJM1DsohUXppTL1k+ z8W2UIoIGqycYdCm60uJ+qbzqLlODNXmXn154OJL3O/o6Nz7O+uqVt+WfaNnwO/Y wf85wHGjzLaOALZfly/fENQr5Aijb9WqavN3tbcipj6+F4D3OLJMOSap8+TOXF3C StEX/XQpQASMmemvHJr/8c9Fx6tumJ+hLI4EyXfNdlYFJFQY4l4J0X6+mH047B3G R+RN8v8nzXQ{m6 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . JIRA issues fixed (https://issues.redhat.com/):
ENTMQST-5081 - [PROD] Create RHSA erratum for Streams 2.5.0
The References section of this erratum contains a download link for the update. You must be logged in to download the update. Description:
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-202110-1706", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "banking digital experience", scope: "eq", trust: 1, vendor: "oracle", version: "18.2", }, { model: "peoplesoft enterprise peopletools", scope: "eq", trust: 1, vendor: "oracle", version: "8.48", }, { model: "communications brm - elastic charging engine", scope: "lt", trust: 1, vendor: "oracle", version: "12.0.0.4.6", }, { model: "helidon", scope: "eq", trust: 1, vendor: "oracle", version: "2.4.0", }, { model: "coherence", scope: "eq", trust: 1, vendor: "oracle", version: "14.1.1.0.0", }, { model: "communications cloud native core binding support function", scope: "eq", trust: 1, vendor: "oracle", version: "1.10.0", }, { model: "banking digital experience", scope: "eq", trust: 1, vendor: "oracle", version: "18.3", }, { model: "quarkus", scope: "lt", trust: 1, vendor: "quarkus", version: "2.2.4", }, { model: "communications cloud native core network slice selection function", scope: "eq", trust: 1, vendor: "oracle", version: "1.8.0", }, { model: "communications cloud native core binding support function", scope: "eq", trust: 1, vendor: "oracle", version: "1.11.0", }, { model: "helidon", scope: "eq", trust: 1, vendor: "oracle", version: "1.4.10", }, { model: "oncommand insight", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "communications cloud native core security edge protection proxy", scope: "eq", trust: 1, vendor: "oracle", version: "1.7.0", }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "10.0", }, { model: "banking digital experience", scope: "eq", trust: 1, vendor: "oracle", version: "19.2", }, { model: "banking apis", scope: "eq", trust: 1, vendor: "oracle", version: "19.2", }, { model: "banking apis", scope: "eq", trust: 1, vendor: "oracle", version: "21.1", }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "11.0", }, { model: "webcenter portal", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.4.0", }, { model: "banking digital experience", scope: "eq", trust: 1, vendor: "oracle", version: "21.1", }, { model: "communications instant messaging server", scope: "eq", trust: 1, vendor: "oracle", version: "8.1", }, { model: "banking digital experience", scope: "eq", trust: 1, vendor: "oracle", version: "20.1", }, { model: "banking apis", scope: "eq", trust: 1, vendor: "oracle", version: "20.1", }, { model: "communications diameter signaling router", scope: "lte", trust: 1, vendor: "oracle", version: "8.5.0.2", }, { model: "netty", scope: "lt", trust: 1, vendor: "netty", version: "4.1.68", }, { model: "coherence", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.4.0", }, { model: "communications cloud native core unified data repository", scope: "eq", trust: 1, vendor: "oracle", version: "1.15.0", }, { model: "communications diameter signaling router", scope: "gte", trust: 1, vendor: "oracle", version: "8.0.0.0", }, { model: "peoplesoft enterprise peopletools", scope: "eq", trust: 1, vendor: "oracle", version: "8.57", }, { model: "commerce guided search", scope: "eq", trust: 1, vendor: "oracle", version: "11.3.2", }, { model: "banking apis", scope: "lte", trust: 1, vendor: "oracle", version: "18.3", }, { model: "peoplesoft enterprise peopletools", scope: "eq", trust: 1, vendor: "oracle", version: "8.58", }, { model: "peoplesoft enterprise peopletools", scope: "eq", trust: 1, vendor: "oracle", version: "8.59", }, { model: "banking apis", scope: "eq", trust: 1, vendor: "oracle", version: "19.1", }, { model: "communications brm - elastic charging engine", scope: "eq", trust: 1, vendor: "oracle", version: "12", }, { model: "banking apis", scope: "gte", trust: 1, vendor: "oracle", version: "18.1", }, { model: "banking digital experience", scope: "eq", trust: 1, vendor: "oracle", version: "19.1", }, { model: "webcenter portal", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.3.0", }, { model: "banking digital experience", scope: "eq", trust: 1, vendor: "oracle", version: "18.1", }, { model: "communications cloud native core policy", scope: "eq", trust: 1, vendor: "oracle", version: "1.15.0", }, ], sources: [ { db: "NVD", id: "CVE-2021-37136", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Red Hat", sources: [ { db: "PACKETSTORM", id: "167140", }, { db: "PACKETSTORM", id: "167122", }, { db: "PACKETSTORM", id: "168657", }, { db: "PACKETSTORM", id: "167423", }, { db: "PACKETSTORM", id: "166408", }, { db: "PACKETSTORM", id: "174675", }, { db: "PACKETSTORM", id: "166093", }, { db: "PACKETSTORM", id: "165564", }, ], trust: 0.8, }, cve: "CVE-2021-37136", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "CVE-2021-37136", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 1, vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "VULHUB", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "VHN-398972", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 0.1, vectorString: "AV:N/AC:L/AU:N/C:N/I:N/A:P", version: "2.0", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", exploitabilityScore: 3.9, id: "CVE-2021-37136", impactScore: 3.6, integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2021-37136", trust: 1, value: "HIGH", }, { author: "VULHUB", id: "VHN-398972", trust: 0.1, value: "MEDIUM", }, ], }, ], sources: [ { db: "VULHUB", id: "VHN-398972", }, { db: "NVD", id: "CVE-2021-37136", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack. No description is available for this CVE. JIRA issues fixed (https://issues.jboss.org/):\n\nLOG-2334 - [release-5.3] Events listing out of order in Kibana 6.8.1\nLOG-2450 - http.max_header_size set to 128kb causes communication with elasticsearch to stop working\nLOG-2481 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.3]\n\n6. The purpose of this text-only\nerrata is to inform you about the security issues fixed in this release. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.4.5 security update on RHEL 7\nAdvisory ID: RHSA-2022:4918-01\nProduct: Red Hat JBoss Enterprise Application Platform\nAdvisory URL: https://access.redhat.com/errata/RHSA-2022:4918\nIssue date: 2022-06-06\nCVE Names: CVE-2020-36518 CVE-2021-37136 CVE-2021-37137\n CVE-2021-42392 CVE-2021-43797 CVE-2022-0084\n CVE-2022-0853 CVE-2022-0866 CVE-2022-1319\n CVE-2022-21299 CVE-2022-21363 CVE-2022-23221\n CVE-2022-23437 CVE-2022-23913 CVE-2022-24785\n====================================================================\n1. Summary:\n\nA security update is now available for Red Hat JBoss Enterprise Application\nPlatform 7.4 for Red Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat JBoss EAP 7.4 for RHEL 7 Server - noarch, x86_64\n\n3. Description:\n\nRed Hat JBoss Enterprise Application Platform 7 is a platform for Java\napplications based on the WildFly application runtime. \n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.5 serves\nas a replacement for Red Hat JBoss Enterprise Application Platform 7.4.4\nand includes bug fixes and enhancements. See the Red Hat JBoss Enterprise\nApplication Platform 7.4.5 Release Notes for information about the most\nsignificant bug fixes and enhancements included in this release. \n\nSecurity Fix(es):\n\n* h2: Loading of custom classes from remote servers through JNDI\n(CVE-2022-23221)\n\n* jackson-databind: denial of service via a large depth of nested objects\n(CVE-2020-36518)\n\n* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for\ndecompressed data (CVE-2021-37136)\n\n* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may\nbuffer skippable chunks in an unnecessary way (CVE-2021-37137)\n\n* h2: Remote Code Execution in Console (CVE-2021-42392)\n\n* netty: control chars in header names may lead to HTTP request smuggling\n(CVE-2021-43797)\n\n* xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of\nstderr (CVE-2022-0084)\n\n* wildfly: Wildfly management of EJB Session context returns wrong caller\nprincipal with Elytron Security enabled (CVE-2022-0866)\n\n* undertow: Double AJP response for 400 from EAP 7 results in CPING\nfailures (CVE-2022-1319)\n\n* OpenJDK: Infinite loop related to incorrect handling of newlines in\nXMLEntityScanner (JAXP, 8270646) (CVE-2022-21299)\n\n* mysql-connector-java: Difficult to exploit vulnerability allows high\nprivileged attacker with network access via multiple protocols to\ncompromise MySQL Connectors (CVE-2022-21363)\n\n* xerces-j2: infinite loop when handling specially crafted XML document\npayloads (CVE-2022-23437)\n\n* artemis-commons: Apache ActiveMQ Artemis DoS (CVE-2022-23913)\n\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n\n* jboss-client: memory leakage in remote client transaction (CVE-2022-0853)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nBefore applying this update, back up your existing Red Hat JBoss Enterprise\nApplication Platform installation and deployed applications. \n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data\n2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way\n2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling\n2039403 - CVE-2021-42392 h2: Remote Code Execution in Console\n2041472 - CVE-2022-21299 OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646)\n2044596 - CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI\n2047200 - CVE-2022-23437 xerces-j2: infinite loop when handling specially crafted XML document payloads\n2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors\n2060725 - CVE-2022-0853 jboss-client: memory leakage in remote client transaction\n2060929 - CVE-2022-0866 wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled\n2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS\n2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr\n2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects\n2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale\n2073890 - CVE-2022-1319 undertow: Double AJP response for 400 from EAP 7 results in CPING failures\n\n6. JIRA issues fixed (https://issues.jboss.org/):\n\nJBEAP-23120 - Tracker bug for the EAP 7.4.5 release for RHEL-7\nJBEAP-23171 - (7.4.z) Upgrade HAL from 3.3.9.Final-redhat-00001 to 3.3.12.Final-redhat-00001\nJBEAP-23194 - Upgrade hibernate-validator from 6.0.22.Final-redhat-00002 to 6.0.23-redhat-00001\nJBEAP-23241 - [GSS](7.4.z) Upgrade jberet from 1.3.9 to 1.3.9.SP1\nJBEAP-23299 - (7.4.z) Upgrade Artemis from 2.16.0.redhat-00034 to 2.16.0.redhat-00042\nJBEAP-23300 - [GSS](7.4.z) Upgrade JBoss Remoting from 5.0.23.SP1 to 5.0.24.SP1\nJBEAP-23312 - (7.4.z) Upgrade WildFly Core from 15.0.8.Final-redhat-00001 to 15.0.12.Final-redhat-00001\nJBEAP-23313 - (7.4.z) Upgrade Elytron from 1.15.11.Final-redhat-00002 to 1.15.12.Final-redhat-00001\nJBEAP-23336 - (7.4.z) Upgrade Hibernate ORM from 5.3.25.Final-redhat-00002 to 5.3.26.Final-redhat-00002\nJBEAP-23338 - [GSS](7.4.z) Upgrade Undertow from 2.2.16 to 2.2.17.SP3\nJBEAP-23339 - [GSS](7.4.z) Upgrade wildfly-http-ejb-client from 1.1.10 to 1.1.11.SP1\nJBEAP-23351 - (7.4.z) Upgrade org.apache.logging.log4j from 2.17.1.redhat-00001 to 2.17.1.redhat-00002\nJBEAP-23353 - (7.4.z) Upgrade wildfly-transaction-client from 1.1.14.Final-redhat-00001 to 1.1.15.Final-redhat-x\nJBEAP-23429 - [PM](7.4.z) JDK17 Update Tested Configurations page and make note in Update release notes\nJBEAP-23432 - [GSS](7.4.z) Upgrade JSF API from 3.0.0.SP04 to 3.0.0.SP05\nJBEAP-23451 - [PST] (7.4.z) Upgrade to FasterXML Jackson to 2.12.6.redhat-00001 and Jackson Databind to 2.12.6.1.redhat-00003\nJBEAP-23531 - [GSS](7.4.z) Upgrade Undertow from 2.2.17.SP3 to 2.2.17.SP4\nJBEAP-23532 - (7.4.z) Upgrade WildFly Core from 15.0.12.Final-redhat-00001 to 15.0.13.Final-redhat-00001\n\n7. Package List:\n\nRed Hat JBoss EAP 7.4 for RHEL 7 Server:\n\nSource:\neap7-activemq-artemis-2.16.0-9.redhat_00042.1.el7eap.src.rpm\neap7-h2database-1.4.197-2.redhat_00004.1.el7eap.src.rpm\neap7-hal-console-3.3.12-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-hibernate-5.3.26-1.Final_redhat_00002.2.el7eap.src.rpm\neap7-hibernate-validator-6.0.23-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-jackson-annotations-2.12.6-1.redhat_00001.1.el7eap.src.rpm\neap7-jackson-core-2.12.6-1.redhat_00001.1.el7eap.src.rpm\neap7-jackson-databind-2.12.6.1-1.redhat_00003.1.el7eap.src.rpm\neap7-jackson-jaxrs-providers-2.12.6-1.redhat_00001.1.el7eap.src.rpm\neap7-jackson-modules-base-2.12.6-1.redhat_00001.1.el7eap.src.rpm\neap7-jackson-modules-java8-2.12.6-1.redhat_00001.1.el7eap.src.rpm\neap7-jberet-1.3.9-1.SP1_redhat_00001.1.el7eap.src.rpm\neap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP05_redhat_00002.1.el7eap.src.rpm\neap7-jboss-remoting-5.0.24-1.SP1_redhat_00001.1.el7eap.src.rpm\neap7-jboss-server-migration-1.10.0-16.Final_redhat_00015.1.el7eap.src.rpm\neap7-jboss-xnio-base-3.8.7-1.SP1_redhat_00001.1.el7eap.src.rpm\neap7-log4j-2.17.1-2.redhat_00002.1.el7eap.src.rpm\neap7-netty-4.1.72-4.Final_redhat_00001.1.el7eap.src.rpm\neap7-netty-tcnative-2.0.48-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-netty-transport-native-epoll-4.1.72-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-snakeyaml-1.29.0-1.redhat_00001.2.el7eap.src.rpm\neap7-undertow-2.2.17-2.SP4_redhat_00001.1.el7eap.src.rpm\neap7-wildfly-7.4.5-3.GA_redhat_00001.1.el7eap.src.rpm\neap7-wildfly-elytron-1.15.12-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-wildfly-http-client-1.1.11-1.SP1_redhat_00001.1.el7eap.src.rpm\neap7-wildfly-transaction-client-1.1.15-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-xerces-j2-2.12.0-3.SP04_redhat_00001.1.el7eap.src.rpm\n\nnoarch:\neap7-activemq-artemis-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-cli-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-commons-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-core-client-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-dto-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-hornetq-protocol-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-hqclient-protocol-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-jdbc-store-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-jms-client-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-jms-server-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-journal-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-ra-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-selector-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-server-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-service-extensions-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-tools-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-h2database-1.4.197-2.redhat_00004.1.el7eap.noarch.rpm\neap7-hal-console-3.3.12-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-hibernate-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm\neap7-hibernate-core-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm\neap7-hibernate-entitymanager-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm\neap7-hibernate-envers-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm\neap7-hibernate-java8-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm\neap7-hibernate-validator-6.0.23-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-hibernate-validator-cdi-6.0.23-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-annotations-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-core-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-databind-2.12.6.1-1.redhat_00003.1.el7eap.noarch.rpm\neap7-jackson-datatype-jdk8-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-datatype-jsr310-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-jaxrs-base-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-jaxrs-json-provider-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-module-jaxb-annotations-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-modules-base-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-modules-java8-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm\neap7-jberet-1.3.9-1.SP1_redhat_00001.1.el7eap.noarch.rpm\neap7-jberet-core-1.3.9-1.SP1_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP05_redhat_00002.1.el7eap.noarch.rpm\neap7-jboss-remoting-5.0.24-1.SP1_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-server-migration-1.10.0-16.Final_redhat_00015.1.el7eap.noarch.rpm\neap7-jboss-server-migration-cli-1.10.0-16.Final_redhat_00015.1.el7eap.noarch.rpm\neap7-jboss-server-migration-core-1.10.0-16.Final_redhat_00015.1.el7eap.noarch.rpm\neap7-jboss-xnio-base-3.8.7-1.SP1_redhat_00001.1.el7eap.noarch.rpm\neap7-log4j-2.17.1-2.redhat_00002.1.el7eap.noarch.rpm\neap7-netty-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-all-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-buffer-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-dns-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-haproxy-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-http-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-http2-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-memcache-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-mqtt-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-redis-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-smtp-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-socks-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-stomp-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-xml-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-common-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-handler-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-handler-proxy-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-resolver-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-resolver-dns-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-resolver-dns-classes-macos-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-tcnative-2.0.48-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-classes-epoll-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-classes-kqueue-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-native-unix-common-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-rxtx-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-sctp-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-udt-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-snakeyaml-1.29.0-1.redhat_00001.2.el7eap.noarch.rpm\neap7-undertow-2.2.17-2.SP4_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-elytron-1.15.12-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-elytron-tool-1.15.12-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-http-client-common-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-http-ejb-client-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-http-naming-client-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-http-transaction-client-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-java-jdk11-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-java-jdk8-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-javadocs-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-modules-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-transaction-client-1.1.15-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-xerces-j2-2.12.0-3.SP04_redhat_00001.1.el7eap.noarch.rpm\n\nx86_64:\neap7-netty-transport-native-epoll-4.1.72-1.Final_redhat_00001.1.el7eap.x86_64.rpm\neap7-netty-transport-native-epoll-debuginfo-4.1.72-1.Final_redhat_00001.1.el7eap.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n8. References:\n\nhttps://access.redhat.com/security/cve/CVE-2020-36518\nhttps://access.redhat.com/security/cve/CVE-2021-37136\nhttps://access.redhat.com/security/cve/CVE-2021-37137\nhttps://access.redhat.com/security/cve/CVE-2021-42392\nhttps://access.redhat.com/security/cve/CVE-2021-43797\nhttps://access.redhat.com/security/cve/CVE-2022-0084\nhttps://access.redhat.com/security/cve/CVE-2022-0853\nhttps://access.redhat.com/security/cve/CVE-2022-0866\nhttps://access.redhat.com/security/cve/CVE-2022-1319\nhttps://access.redhat.com/security/cve/CVE-2022-21299\nhttps://access.redhat.com/security/cve/CVE-2022-21363\nhttps://access.redhat.com/security/cve/CVE-2022-23221\nhttps://access.redhat.com/security/cve/CVE-2022-23437\nhttps://access.redhat.com/security/cve/CVE-2022-23913\nhttps://access.redhat.com/security/cve/CVE-2022-24785\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/\n\n9. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2022 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYp5qBdzjgjWX9erEAQgudg/+KIuaXQZawyOnSNF4IIR8WYnfcW8Ojsfk\n27VFNY6WCSn07IkzyDFuCLHsmUEesiJvpYssOx4CuX1YEmlF7S/KepyI6QDVC+BV\nhFAfaVE1gdrny1sqaS8k4VFE9rHODML1q2yyeUNgdtL4YGdOeduqOEn6Q6GS/rvh\n+8vCZFkFb9QKxxItc1xvxvU8kAomQun+eqr040IHuF0jAZfLI18/5vzsPqeQG+Ua\nqU4CG5FucVytEkJCnQ8Ci3QH3FCm/BPqotyhO3OAi1b5+db+fT+UqJpiuHYCsPcQ\n8DRKizi/ia6Rq5b/OTFodA8lo6U3nDIljJ7QcuADgGzX4fak+BxQNkQMfhS4/b01\n/yFU034PmQBTJpm0r5Vb4V4lBWzAi5QMDttI4wncuM3VGbxSoEEXzdzFHVzgoy1r\nqDGfJ1C5VnSJeLawDa6tGyndBiVga/PPgx0CoSIPsAYnjXYfJM1DsohUXppTL1k+\nz8W2UIoIGqycYdCm60uJ+qbzqLlODNXmXn154OJL3O/o6Nz7O+uqVt+WfaNnwO/Y\nwf85wHGjzLaOALZfly/fENQr5Aijb9WqavN3tbcipj6+F4D3OLJMOSap8+TOXF3C\nStEX/XQpQASMmemvHJr/8c9Fx6tumJ+hLI4EyXfNdlYFJFQY4l4J0X6+mH047B3G\nR+RN8v8nzXQ{m6\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. JIRA issues fixed (https://issues.redhat.com/):\n\nENTMQST-5081 - [PROD] Create RHSA erratum for Streams 2.5.0\n\n6. \n\nThe References section of this erratum contains a download link for the\nupdate. You must be logged in to download the update. Description:\n\nRed Hat AMQ Streams, based on the Apache Kafka project, offers a\ndistributed backbone that allows microservices and other applications to\nshare data with extremely high throughput and extremely low latency", sources: [ { db: "NVD", id: "CVE-2021-37136", }, { db: "VULHUB", id: "VHN-398972", }, { db: "VULMON", id: "CVE-2021-37136", }, { db: "PACKETSTORM", id: "167140", }, { db: "PACKETSTORM", id: "167122", }, { db: "PACKETSTORM", id: "168657", }, { db: "PACKETSTORM", id: "167423", }, { db: "PACKETSTORM", id: "166408", }, { db: "PACKETSTORM", id: "174675", }, { db: "PACKETSTORM", id: "166093", }, { db: "PACKETSTORM", id: "165564", }, ], trust: 1.8, }, exploit_availability: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { reference: "https://www.scap.org.cn/vuln/vhn-398972", trust: 0.1, type: "unknown", }, ], sources: [ { db: "VULHUB", id: "VHN-398972", }, ], }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2021-37136", trust: 2, }, { db: "PACKETSTORM", id: "166408", trust: 0.2, }, { db: "PACKETSTORM", id: "167122", trust: 0.2, }, { db: "PACKETSTORM", id: "168657", trust: 0.2, }, { db: "PACKETSTORM", id: "165564", trust: 0.2, }, { db: "PACKETSTORM", id: "167140", trust: 0.2, }, { db: "PACKETSTORM", id: "167423", trust: 0.2, }, { db: "PACKETSTORM", id: "170498", trust: 0.1, }, { db: "PACKETSTORM", id: "169918", trust: 0.1, }, { db: "PACKETSTORM", id: "167142", trust: 0.1, }, { db: "PACKETSTORM", id: "164936", trust: 0.1, }, { db: "PACKETSTORM", id: "167424", trust: 0.1, }, { db: "PACKETSTORM", id: "165980", trust: 0.1, }, { db: "PACKETSTORM", id: "165105", trust: 0.1, }, { db: "PACKETSTORM", id: "167964", trust: 0.1, }, { db: "PACKETSTORM", id: "167422", trust: 0.1, }, { db: "VULHUB", id: "VHN-398972", trust: 0.1, }, { db: "VULMON", id: "CVE-2021-37136", trust: 0.1, }, { db: "PACKETSTORM", id: "174675", trust: 0.1, }, { db: "PACKETSTORM", id: "166093", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-398972", }, { db: "VULMON", id: "CVE-2021-37136", }, { db: "PACKETSTORM", id: "167140", }, { db: "PACKETSTORM", id: "167122", }, { db: "PACKETSTORM", id: "168657", }, { db: "PACKETSTORM", id: "167423", }, { db: "PACKETSTORM", id: "166408", }, { db: "PACKETSTORM", id: "174675", }, { db: "PACKETSTORM", id: "166093", }, { db: "PACKETSTORM", id: "165564", }, { db: "NVD", id: "CVE-2021-37136", }, ], }, id: "VAR-202110-1706", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VULHUB", id: "VHN-398972", }, ], trust: 0.01, }, last_update_date: "2024-11-29T21:39:16.920000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "Red Hat: CVE-2021-37136", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2021-37136", }, ], sources: [ { db: "VULMON", id: "CVE-2021-37136", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-400", trust: 1.1, }, ], sources: [ { db: "VULHUB", id: "VHN-398972", }, { db: "NVD", id: "CVE-2021-37136", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 1.1, url: "https://security.netapp.com/advisory/ntap-20220210-0012/", }, { trust: 1.1, url: "https://www.debian.org/security/2023/dsa-5316", }, { trust: 1.1, url: "https://github.com/netty/netty/security/advisories/ghsa-grg4-wf29-r9vv", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { trust: 1.1, url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html", }, { trust: 1, url: "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3ccommits.druid.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3ccommits.druid.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3ccommits.druid.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3ccommits.druid.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3ccommits.druid.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3cdev.tinkerpop.apache.org%3e", }, { trust: 0.9, url: "https://access.redhat.com/security/cve/cve-2021-37136", }, { trust: 0.8, url: "https://nvd.nist.gov/vuln/detail/cve-2021-37137", }, { trust: 0.8, url: "https://access.redhat.com/security/team/contact/", }, { trust: 0.8, url: "https://access.redhat.com/security/cve/cve-2021-37137", }, { trust: 0.8, url: "https://bugzilla.redhat.com/):", }, { trust: 0.8, url: "https://listman.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.8, url: "https://nvd.nist.gov/vuln/detail/cve-2021-37136", }, { trust: 0.6, url: "https://access.redhat.com/security/updates/classification/#moderate", }, { trust: 0.3, url: "https://issues.jboss.org/):", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2021-43797", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2021-43797", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2021-41269", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2021-41269", }, { trust: 0.3, url: "https://access.redhat.com/articles/11258", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-0759", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-21426", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21443", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-21476", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-1154", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21496", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-1154", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-21698", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-21496", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-25636", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-25636", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21434", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-4028", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-21443", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-21434", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0778", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2018-25032", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2018-25032", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-4028", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21426", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21476", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-0778", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0759", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21698", }, { trust: 0.2, url: "https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2022-1271", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2022-1271", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-22569", }, { trust: 0.2, url: "https://access.redhat.com/security/updates/classification/#important", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-22569", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-42392", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-42392", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-28170", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-4178", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-28170", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-2471", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-4178", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-2471", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-38153", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-38153", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3ccommits.druid.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3ccommits.druid.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3ccommits.druid.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3ccommits.druid.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3ccommits.druid.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3cdev.tinkerpop.apache.org%3e", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2022:2218", }, { trust: 0.1, url: "https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html", }, { trust: 0.1, url: "https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2022:2217", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-24773", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2022:6835", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0536", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-25647", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21724", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-24771", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-25858", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-0235", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-24771", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-26520", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-25647", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0235", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-23647", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-37734", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0981", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-23647", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-24772", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-24773", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-25857", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-0536", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-21724", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-25857", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-0981", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-31129", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-24772", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0084", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-23437", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-0866", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2022:4918", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-24785", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-0084", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-21299", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21299", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-23913", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-36518", }, { trust: 0.1, url: "https://access.redhat.com/security/team/key/", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-23221", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-24785", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-1319", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-36518", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21363", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-1319", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0866", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0853", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-23437", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-23221", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-0853", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-23913", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-21363", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-28168", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-40690", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-30129", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-15522", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2022:1013", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-8908", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-26291", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-26291", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-15522", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-8908", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q2", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-28168", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-30129", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=red.hat.integration&version=2022-q2", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-40690", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-34455", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-34455", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-3635", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-36944", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-1471", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-2976", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-34462", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-2976", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-26048", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-34454", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2023:5165", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-0482", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_amq_streams/2.5", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-24823", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-34454", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-1471", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-36944", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-24823", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-26048", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-34453", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-33201", }, { trust: 0.1, url: "https://issues.redhat.com/):", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-33201", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-26049", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-26049", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=jboss.amq.streams&version=2.5.0", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-34462", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-0482", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-34453", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-37714", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.2/", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-37714", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=redhat.quarkus&downloadtype=distributions&version=2.2.5", }, { trust: 0.1, url: "https://access.redhat.com/articles/4966181", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2022:0589", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-44832", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-44832", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-34429", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=jboss.amq.streams&version=2.0.0", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-34429", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2022:0138", }, ], sources: [ { db: "VULHUB", id: "VHN-398972", }, { db: "VULMON", id: "CVE-2021-37136", }, { db: "PACKETSTORM", id: "167140", }, { db: "PACKETSTORM", id: "167122", }, { db: "PACKETSTORM", id: "168657", }, { db: "PACKETSTORM", id: "167423", }, { db: "PACKETSTORM", id: "166408", }, { db: "PACKETSTORM", id: "174675", }, { db: "PACKETSTORM", id: "166093", }, { db: "PACKETSTORM", id: "165564", }, { db: "NVD", id: "CVE-2021-37136", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "VULHUB", id: "VHN-398972", }, { db: "VULMON", id: "CVE-2021-37136", }, { db: "PACKETSTORM", id: "167140", }, { db: "PACKETSTORM", id: "167122", }, { db: "PACKETSTORM", id: "168657", }, { db: "PACKETSTORM", id: "167423", }, { db: "PACKETSTORM", id: "166408", }, { db: "PACKETSTORM", id: "174675", }, { db: "PACKETSTORM", id: "166093", }, { db: "PACKETSTORM", id: "165564", }, { db: "NVD", id: "CVE-2021-37136", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2021-10-19T00:00:00", db: "VULHUB", id: "VHN-398972", }, { date: "2022-05-12T15:53:27", db: "PACKETSTORM", id: "167140", }, { date: "2022-05-12T15:38:35", db: "PACKETSTORM", id: "167122", }, { date: "2022-10-07T15:02:16", db: "PACKETSTORM", id: "168657", }, { date: "2022-06-07T15:14:53", db: "PACKETSTORM", id: "167423", }, { date: "2022-03-23T15:52:53", db: "PACKETSTORM", id: "166408", }, { date: "2023-09-15T13:53:16", db: "PACKETSTORM", id: "174675", }, { date: "2022-02-22T16:52:49", db: "PACKETSTORM", id: "166093", }, { date: "2022-01-14T15:29:02", db: "PACKETSTORM", id: "165564", }, { date: "2021-10-19T15:15:07.697000", db: "NVD", id: "CVE-2021-37136", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2023-02-24T00:00:00", db: "VULHUB", id: "VHN-398972", }, { date: "2023-11-07T03:36:54.390000", db: "NVD", id: "CVE-2021-37136", }, ], }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Red Hat Security Advisory 2022-2218-01", sources: [ { db: "PACKETSTORM", id: "167140", }, ], trust: 0.1, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "code execution, memory leak", sources: [ { db: "PACKETSTORM", id: "167423", }, { db: "PACKETSTORM", id: "166408", }, ], trust: 0.2, }, }
var-202012-1529
Vulnerability from variot
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. FasterXML Jackson is a data processing tool for Java developed by American FasterXML Company. There is a security vulnerability in FasterXML Jackson Databind, which can be exploited by an attacker to transmit malicious XML data to FasterXML Jackson Databind to read files, scan sites, or trigger a denial of service. Description:
Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business.
Security Fix(es):
-
xmlgraphics-commons: SSRF due to improper input validation by the XMPParser (CVE-2020-11988)
-
xstream: allow a remote attacker to cause DoS only by manipulating the processed input stream (CVE-2021-21341)
-
xstream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream (CVE-2021-21351)
-
xstream: arbitrary file deletion on the local host via crafted input stream (CVE-2021-21343)
-
xstream: arbitrary file deletion on the local host when unmarshalling (CVE-2020-26259)
-
xstream: ReDoS vulnerability (CVE-2021-21348)
-
xstream: Server-Side Forgery Request vulnerability can be activated when unmarshalling (CVE-2020-26258)
-
xstream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host (CVE-2021-21349)
-
xstream: SSRF via crafted input stream (CVE-2021-21342)
-
jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) (CVE-2020-25649)
-
xstream: allow a remote attacker to execute arbitrary code only by manipulating the processed input stream (CVE-2021-21350)
-
xstream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream (CVE-2021-21346)
-
xstream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream (CVE-2021-21347)
-
xstream: allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream (CVE-2021-21345)
-
xstream: arbitrary code execution via crafted input stream (CVE-2021-21344)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process. Bugs fixed (https://bugzilla.redhat.com/):
1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) 1908832 - CVE-2020-26258 XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling 1908837 - CVE-2020-26259 XStream: arbitrary file deletion on the local host when unmarshalling 1933816 - CVE-2020-11988 xmlgraphics-commons: SSRF due to improper input validation by the XMPParser 1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream 1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream 1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream 1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet 1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry 1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue 1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator 1942633 - CVE-2021-21348 XStream: ReDoS vulnerability 1942635 - CVE-2021-21349 XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host 1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader 1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream
- You must be logged in to download the update. Solution:
Before applying this update, ensure all previously released errata relevant to your system have been applied. JIRA issues fixed (https://issues.jboss.org/):
JBEAP-20029 - GSS Upgrade Artemis from 2.9.0.redhat-00011 to 2.9.0.redhat-00016 JBEAP-20089 - [GSS] (7.3.z) Upgrade undertow from 2.0.31.SP1-redhat-00001 to 2.0.32.SP1-redhat JBEAP-20119 - GSS Upgrade JBoss Remoting from 5.0.18.Final-redhat-00001 to 5.0.19.Final-redhat-00001 JBEAP-20161 - GSS Upgrade XNIO from 3.7.9.Final to 3.7.11.Final JBEAP-20221 - Tracker bug for the EAP 7.3.4 release for RHEL-6 JBEAP-20239 - GSS Upgrade Hibernate Validator from 6.0.20.Final to 6.0.21.Final JBEAP-20246 - GSS Upgrade JBoss Marshalling from 2.0.9.Final to 2.0.10.Final JBEAP-20285 - GSS Upgrade HAL from 3.2.10.Final-redhat-00001 to 3.2.11.Final JBEAP-20300 - (7.3.z) Upgrade jasypt from 1.9.3-redhat-00001 to 1.9.3-redhat-00002 JBEAP-20325 - (7.3.z) Upgrade WildFly Arquillian to 3.0.1.Final for the ts.bootable profile JBEAP-20364 - (7.3.z) Upgrade com.github.fge.msg-simple to 1.1.0.redhat-00007 and com.github.fge.btf to 1.2.0.redhat-00007 JBEAP-20368 - (7.3.z) Upgrade Bootable JAR Maven plugin to 2.0.1.Final
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: rh-maven35-jackson-databind security update Advisory ID: RHSA-2020:4312-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2020:4312 Issue date: 2020-10-22 CVE Names: CVE-2020-25649 ==================================================================== 1. Summary:
An update for rh-maven35-jackson-databind is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch
- Description:
The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API.
Security Fix(es):
- jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) (CVE-2020-25649)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Package List:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source: rh-maven35-jackson-databind-2.7.6-2.12.el7.src.rpm
noarch: rh-maven35-jackson-databind-2.7.6-2.12.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.12.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source: rh-maven35-jackson-databind-2.7.6-2.12.el7.src.rpm
noarch: rh-maven35-jackson-databind-2.7.6-2.12.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.12.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6):
Source: rh-maven35-jackson-databind-2.7.6-2.12.el7.src.rpm
noarch: rh-maven35-jackson-databind-2.7.6-2.12.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.12.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7):
Source: rh-maven35-jackson-databind-2.7.6-2.12.el7.src.rpm
noarch: rh-maven35-jackson-databind-2.7.6-2.12.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.12.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source: rh-maven35-jackson-databind-2.7.6-2.12.el7.src.rpm
noarch: rh-maven35-jackson-databind-2.7.6-2.12.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.12.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2020-25649 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBX5G3l9zjgjWX9erEAQgNJw//V6i0MaE6kJf78AmcwlVreSW1RPxOKN/E x/K1urqgA74g4anadf8MRodiyk+JgL5Uujh1rGNFzMksL+U8F2XE3C5eZZu+L4lC wC+JVh1xKWRSmgVZab6GtQdUL7NvbBu4zl6lVqfdhgV7/24JJVfpvQ+s7X1m0yko vL83uZ5YVlvP7bdk4B+MF8CtyjmxOI3DhaJk0L88uTvNIVSSBCKLihQfmT5g7hB0 VnlYW1ThsnaGOvYSK1mhaWUQv3fw+xIIJ1e6xSlyVAANNI1cRuOS6502fzsn+s89 HOLUq47hPM+2YQBnj6nZi5KfaA7J+fDQfp0rsMrGzDI92nvG1FO+PhLHU/VdOESL Rwpy/dCG/Sx1499a0Tziwf1H5Dadfwpu2dIp7yNmPxHtPXUuwNJDoo9zWOggvZoR 97Syo6dfh2YxFsbshHEiFNH8siFNBsmU5dcDXD/asMNigoiIAW508ojfHhfr5yLc r42xHhBPmxnot65DNeQrwjUmibLCef3J3en0uV/OEyTgoaxlqt1Zf1uWUQ6aQxR/ Enklt1rKx8398R8UB61gRTYftaNX6md3zgWz844meG+cakEA1obWrO2Fau/67lNe NqGuFRDGGidSCL2v/WU/49AA7FReEm7wKuR/u0zbH50I4ihH7uR9DkrGvWD4soAe /o4+qVFSE74=ygzN -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . See the following advisory for the container images for this release:
https://access.redhat.com/errata/RHBA-2021:1427
All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor
- Solution:
For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html
Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html
- Description:
Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infinispan project.
This release of Red Hat Data Grid 7.3.8 serves as a replacement for Red Hat Data Grid 7.3.7 and includes bug fixes and enhancements, which are described in the Release Notes, linked to in the References section of this erratum. Solution:
To install this update, do the following:
- Download the Data Grid 7.3.8 server patch from the customer portal. See the download link in the References section. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on. Install the Data Grid 7.3.8 server patch. Refer to the 7.3 Release Notes for patching instructions. Restart Data Grid to ensure the changes take effect. Description:
The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a VM Portal, and a Representational State Transfer (REST) Application Programming Interface (API).
Bug Fix(es):
-
Red Hat Virtualization Manager now requires Ansible 2.9.15. (BZ#1901946)
-
Bugs fixed (https://bugzilla.redhat.com/):
1627997 - [RFE] Allow SPM switching if all tasks have finished via REST-API 1702237 - [RFE] add API for listing disksnapshots under disk resource 1796231 - VM disk remains in locked state if image transfer (image download) timesout due to inactivity. 1868114 - RHV-M UI/Webadmin: The "Disk Snapshots" tab reflects incorrect "Creation Date" information. 1875951 - Disk hot-unplug fails on engine side with NPE in setDiskVmElements after unplugging from the VM. 1879655 - [RFE] Implement searching VM's with partial name or case sensitive vm names in VM Portal. 1880015 - oVirt metrics example Kibana dashboards are broken in Kibana 7.x 1881115 - RHEL VM icons squashed, please adhere to brand rules 1881357 - German language greeting page says Red Hat® 1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) 1893035 - rhv-log-collector-analyzer: check for double quotes in IPTablesConfigSiteCustom 1894298 - ModuleNotFoundError: No module named 'ovirt_engine' raised when starting ovirt-engine-dwhd.py in dev env 1901946 - [RFE] Bump ovirt-engine version lock to the newest Ansible version 1903385 - RFE: rhv-image-discrepancies should report if the truesize from VDSM has different size in images in the engine. 1903595 - [PPC] Can't add PPC host to Engine
6
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-202012-1529", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "insurance rules palette", scope: "lte", trust: 1, vendor: "oracle", version: "11.3.0", }, { model: "banking platform", scope: "eq", trust: 1, vendor: "oracle", version: "2.7.1", }, { model: "primavera gateway", scope: "gte", trust: 1, vendor: "oracle", version: "17.7", }, { model: "jackson-databind", scope: "lt", trust: 1, vendor: "fasterxml", version: "2.10.5.1", }, { model: "iotdb", scope: "lt", trust: 1, vendor: "apache", version: "0.12.0", }, { model: "communications unified inventory management", scope: "eq", trust: 1, vendor: "oracle", version: "7.4.1", }, { model: "banking platform", scope: "eq", trust: 1, vendor: "oracle", version: "2.9.0", }, { model: "insurance policy administration", scope: "eq", trust: 1, vendor: "oracle", version: "11.0.2", }, { model: "jackson-databind", scope: "lt", trust: 1, vendor: "fasterxml", version: "2.9.10.7", }, { model: "retail service backbone", scope: "eq", trust: 1, vendor: "oracle", version: "14.1.3.2", }, { model: "retail service backbone", scope: "eq", trust: 1, vendor: "oracle", version: "15.0.3.1", }, { model: "retail xstore point of service", scope: "eq", trust: 1, vendor: "oracle", version: "16.0.6", }, { model: "communications billing and revenue management", scope: "eq", trust: 1, vendor: "oracle", version: "12.0.0.3.0", }, { model: "webcenter portal", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.3.0", }, { model: "webcenter portal", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.4.0", }, { model: "communications evolved communications application server", scope: "eq", trust: 1, vendor: "oracle", version: "7.1", }, { model: "agile product lifecycle management integration pack", scope: "eq", trust: 1, vendor: "oracle", version: "3.6", }, { model: "primavera gateway", scope: "gte", trust: 1, vendor: "oracle", version: "19.12.0", }, { model: "jd edwards enterpriseone tools", scope: "lt", trust: 1, vendor: "oracle", version: "9.2.5.3", }, { model: "coherence", scope: "eq", trust: 1, vendor: "oracle", version: "14.1.1.0.0", }, { model: "oncommand workflow automation", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "coherence", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.4.0", }, { model: "blockchain platform", scope: "lt", trust: 1, vendor: "oracle", version: "21.1.2", }, { model: "communications interactive session recorder", scope: "eq", trust: 1, vendor: "oracle", version: "6.4", }, { model: "agile plm", scope: "eq", trust: 1, vendor: "oracle", version: "9.3.6", }, { model: "primavera gateway", scope: "gte", trust: 1, vendor: "oracle", version: "17.12.0", }, { model: "primavera gateway", scope: "eq", trust: 1, vendor: "oracle", version: "20.12.0", }, { model: "communications messaging server", scope: "eq", trust: 1, vendor: "oracle", version: "8.0.2", }, { model: "jackson-databind", scope: "lt", trust: 1, vendor: "fasterxml", version: "2.6.7.4", }, { model: "insurance rules palette", scope: "eq", trust: 1, vendor: "oracle", version: "11.0.2", }, { model: "banking platform", scope: "eq", trust: 1, vendor: "oracle", version: "2.10.0", }, { model: "commerce platform", scope: "lte", trust: 1, vendor: "oracle", version: "11.3.2", }, { model: "service level manager", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "retail xstore point of service", scope: "eq", trust: 1, vendor: "oracle", version: "18.0.3", }, { model: "banking platform", scope: "eq", trust: 1, vendor: "oracle", version: "2.6.2", }, { model: "communications pricing design center", scope: "eq", trust: 1, vendor: "oracle", version: "12.0.0.4.0", }, { model: "banking apis", scope: "eq", trust: 1, vendor: "oracle", version: "19.1", }, { model: "utilities framework", scope: "eq", trust: 1, vendor: "oracle", version: "4.4.0.0.0", }, { model: "retail xstore point of service", scope: "eq", trust: 1, vendor: "oracle", version: "20.0.1", }, { model: "jackson-databind", scope: "gte", trust: 1, vendor: "fasterxml", version: "2.9.0", }, { model: "oncommand api services", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "communications offline mediation controller", scope: "eq", trust: 1, vendor: "oracle", version: "12.0.0.3", }, { model: "banking apis", scope: "gte", trust: 1, vendor: "oracle", version: "18.1", }, { model: "health sciences empirica signal", scope: "eq", trust: 1, vendor: "oracle", version: "9.0", }, { model: "health sciences empirica signal", scope: "eq", trust: 1, vendor: "oracle", version: "9.1", }, { model: "retail xstore point of service", scope: "eq", trust: 1, vendor: "oracle", version: "19.0.2", }, { model: "jd edwards enterpriseone orchestrator", scope: "lt", trust: 1, vendor: "oracle", version: "9.2.5.3", }, { model: "insurance policy administration", scope: "gte", trust: 1, vendor: "oracle", version: "11.1.0", }, { model: "banking apis", scope: "lte", trust: 1, vendor: "oracle", version: "18.3", }, { model: "communications services gatekeeper", scope: "eq", trust: 1, vendor: "oracle", version: "7.0", }, { model: "primavera gateway", scope: "lte", trust: 1, vendor: "oracle", version: "19.12.10", }, { model: "retail xstore point of service", scope: "eq", trust: 1, vendor: "oracle", version: "17.0.4", }, { model: "banking platform", scope: "eq", trust: 1, vendor: "oracle", version: "2.7.0", }, { model: "fedora", scope: "eq", trust: 1, vendor: "fedoraproject", version: "32", }, { model: "banking apis", scope: "eq", trust: 1, vendor: "oracle", version: "20.1", }, { model: "jackson-databind", scope: "gte", trust: 1, vendor: "fasterxml", version: "2.6.0", }, { model: "banking treasury management", scope: "eq", trust: 1, vendor: "oracle", version: "4.4", }, { model: "commerce platform", scope: "gte", trust: 1, vendor: "oracle", version: "11.3.0", }, { model: "jackson-databind", scope: "gte", trust: 1, vendor: "fasterxml", version: "2.10.0", }, { model: "banking platform", scope: "eq", trust: 1, vendor: "oracle", version: "2.8.0", }, { model: "primavera gateway", scope: "lte", trust: 1, vendor: "oracle", version: "17.12", }, { model: "primavera gateway", scope: "lte", trust: 1, vendor: "oracle", version: "17.12.11", }, { model: "retail service backbone", scope: "eq", trust: 1, vendor: "oracle", version: "16.0.3", }, { model: "insurance policy administration", scope: "lte", trust: 1, vendor: "oracle", version: "11.3.0", }, { model: "utilities framework", scope: "eq", trust: 1, vendor: "oracle", version: "4.4.0.2.0", }, { model: "communications cloud native core unified data repository", scope: "eq", trust: 1, vendor: "oracle", version: "1.4.0", }, { model: "commerce platform", scope: "eq", trust: 1, vendor: "oracle", version: "11.2.0", }, { model: "utilities framework", scope: "eq", trust: 1, vendor: "oracle", version: "4.3.0.5.0", }, { model: "banking apis", scope: "eq", trust: 1, vendor: "oracle", version: "19.2", }, { model: "communications interactive session recorder", scope: "eq", trust: 1, vendor: "oracle", version: "6.3", }, { model: "banking apis", scope: "eq", trust: 1, vendor: "oracle", version: "21.1", }, { model: "communications convergent charging controller", scope: "eq", trust: 1, vendor: "oracle", version: "12.0.4.0.0", }, { model: "communications instant messaging server", scope: "eq", trust: 1, vendor: "oracle", version: "10.0.1.5.0", }, { model: "insurance rules palette", scope: "gte", trust: 1, vendor: "oracle", version: "11.1.0", }, { model: "communications network charging and control", scope: "eq", trust: 1, vendor: "oracle", version: "12.0.4.0.0", }, { model: "primavera gateway", scope: "lte", trust: 1, vendor: "oracle", version: "18.8.11", }, { model: "communications billing and revenue management", scope: "eq", trust: 1, vendor: "oracle", version: "7.5.0.23.0", }, { model: "primavera gateway", scope: "gte", trust: 1, vendor: "oracle", version: "18.8.0", }, { model: "utilities framework", scope: "eq", trust: 1, vendor: "oracle", version: "4.4.0.3.0", }, { model: "utilities framework", scope: "eq", trust: 1, vendor: "oracle", version: "4.3.0.6.0", }, { model: "sd-wan edge", scope: "eq", trust: 1, vendor: "oracle", version: "9.0", }, { model: "goldengate application adapters", scope: "eq", trust: 1, vendor: "oracle", version: "19.1.0.0.0", }, { model: "quarkus", scope: "lte", trust: 1, vendor: "quarkus", version: "1.6.1", }, { model: "communications messaging server", scope: "eq", trust: 1, vendor: "oracle", version: "8.1", }, { model: "hitachi ops center analyzer viewpoint", scope: null, trust: 0.8, vendor: "日立", version: null, }, { model: "service level manager", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "oncommand workflow automation", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "fedora", scope: null, trust: 0.8, vendor: "fedora", version: null, }, { model: "oncommand api services", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "quarkus", scope: null, trust: 0.8, vendor: "quarkus", version: null, }, { model: "jackson-databind", scope: null, trust: 0.8, vendor: "fasterxml", version: null, }, ], sources: [ { db: "JVNDB", id: "JVNDB-2020-014030", }, { db: "NVD", id: "CVE-2020-25649", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Red Hat", sources: [ { db: "PACKETSTORM", id: "163201", }, { db: "PACKETSTORM", id: "163205", }, { db: "PACKETSTORM", id: "159759", }, { db: "PACKETSTORM", id: "160554", }, { db: "PACKETSTORM", id: "160347", }, { db: "PACKETSTORM", id: "159680", }, { db: "PACKETSTORM", id: "162478", }, { db: "PACKETSTORM", id: "160489", }, { db: "PACKETSTORM", id: "161261", }, ], trust: 0.9, }, cve: "CVE-2020-25649", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "CVE-2020-25649", impactScore: 2.9, integrityImpact: "PARTIAL", severity: "MEDIUM", trust: 1.8, vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "VULHUB", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "VHN-179648", impactScore: 2.9, integrityImpact: "PARTIAL", severity: "MEDIUM", trust: 0.1, vectorString: "AV:N/AC:L/AU:N/C:N/I:P/A:N", version: "2.0", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", exploitabilityScore: 3.9, id: "CVE-2020-25649", impactScore: 3.6, integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, { attackComplexity: "Low", attackVector: "Network", author: "NVD", availabilityImpact: "None", baseScore: 7.5, baseSeverity: "High", confidentialityImpact: "None", exploitabilityScore: null, id: "CVE-2020-25649", impactScore: null, integrityImpact: "High", privilegesRequired: "None", scope: "Unchanged", trust: 0.8, userInteraction: "None", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2020-25649", trust: 1, value: "HIGH", }, { author: "NVD", id: "CVE-2020-25649", trust: 0.8, value: "High", }, { author: "VULHUB", id: "VHN-179648", trust: 0.1, value: "MEDIUM", }, ], }, ], sources: [ { db: "VULHUB", id: "VHN-179648", }, { db: "JVNDB", id: "JVNDB-2020-014030", }, { db: "NVD", id: "CVE-2020-25649", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity. FasterXML Jackson is a data processing tool for Java developed by American FasterXML Company. There is a security vulnerability in FasterXML Jackson Databind, which can be exploited by an attacker to transmit malicious XML data to FasterXML Jackson Databind to read files, scan sites, or trigger a denial of service. Description:\n\nRed Hat Decision Manager is an open source decision management platform\nthat combines business rules management, complex event processing, Decision\nModel & Notation (DMN) execution, and Business Optimizer for solving\nplanning problems. It automates business decisions and makes that logic\navailable to the entire business. \n\nSecurity Fix(es):\n\n* xmlgraphics-commons: SSRF due to improper input validation by the\nXMPParser (CVE-2020-11988)\n\n* xstream: allow a remote attacker to cause DoS only by manipulating the\nprocessed input stream (CVE-2021-21341)\n\n* xstream: allow a remote attacker to load and execute arbitrary code from\na remote host only by manipulating the processed input stream\n(CVE-2021-21351)\n\n* xstream: arbitrary file deletion on the local host via crafted input\nstream (CVE-2021-21343)\n\n* xstream: arbitrary file deletion on the local host when unmarshalling\n(CVE-2020-26259)\n\n* xstream: ReDoS vulnerability (CVE-2021-21348)\n\n* xstream: Server-Side Forgery Request vulnerability can be activated when\nunmarshalling (CVE-2020-26258)\n\n* xstream: SSRF can be activated unmarshalling with XStream to access data\nstreams from an arbitrary URL referencing a resource in an intranet or the\nlocal host (CVE-2021-21349)\n\n* xstream: SSRF via crafted input stream (CVE-2021-21342)\n\n* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is\nvulnerable to XML external entity (XXE) (CVE-2020-25649)\n\n* xstream: allow a remote attacker to execute arbitrary code only by\nmanipulating the processed input stream (CVE-2021-21350)\n\n* xstream: allow a remote attacker to load and execute arbitrary code from\na remote host only by manipulating the processed input stream\n(CVE-2021-21346)\n\n* xstream: allow a remote attacker to load and execute arbitrary code from\na remote host only by manipulating the processed input stream\n(CVE-2021-21347)\n\n* xstream: allow a remote attacker who has sufficient rights to execute\ncommands of the host only by manipulating the processed input stream\n(CVE-2021-21345)\n\n* xstream: arbitrary code execution via crafted input stream\n(CVE-2021-21344)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update; after installing the update,\nrestart the server by starting the JBoss Application Server process. Bugs fixed (https://bugzilla.redhat.com/):\n\n1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)\n1908832 - CVE-2020-26258 XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling\n1908837 - CVE-2020-26259 XStream: arbitrary file deletion on the local host when unmarshalling\n1933816 - CVE-2020-11988 xmlgraphics-commons: SSRF due to improper input validation by the XMPParser\n1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream\n1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream\n1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream\n1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet\n1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry\n1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue\n1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator\n1942633 - CVE-2021-21348 XStream: ReDoS vulnerability\n1942635 - CVE-2021-21349 XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host\n1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader\n1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream\n\n5. You must be logged in to download the update. Solution:\n\nBefore applying this update, ensure all previously released errata relevant\nto your system have been applied. JIRA issues fixed (https://issues.jboss.org/):\n\nJBEAP-20029 - [GSS](7.3.z) Upgrade Artemis from 2.9.0.redhat-00011 to 2.9.0.redhat-00016\nJBEAP-20089 - [GSS] (7.3.z) Upgrade undertow from 2.0.31.SP1-redhat-00001 to 2.0.32.SP1-redhat\nJBEAP-20119 - [GSS](7.3.z) Upgrade JBoss Remoting from 5.0.18.Final-redhat-00001 to 5.0.19.Final-redhat-00001\nJBEAP-20161 - [GSS](7.3.z) Upgrade XNIO from 3.7.9.Final to 3.7.11.Final\nJBEAP-20221 - Tracker bug for the EAP 7.3.4 release for RHEL-6\nJBEAP-20239 - [GSS](7.3.z) Upgrade Hibernate Validator from 6.0.20.Final to 6.0.21.Final\nJBEAP-20246 - [GSS](7.3.z) Upgrade JBoss Marshalling from 2.0.9.Final to 2.0.10.Final\nJBEAP-20285 - [GSS](7.3.z) Upgrade HAL from 3.2.10.Final-redhat-00001 to 3.2.11.Final\nJBEAP-20300 - (7.3.z) Upgrade jasypt from 1.9.3-redhat-00001 to 1.9.3-redhat-00002\nJBEAP-20325 - (7.3.z) Upgrade WildFly Arquillian to 3.0.1.Final for the ts.bootable profile\nJBEAP-20364 - (7.3.z) Upgrade com.github.fge.msg-simple to 1.1.0.redhat-00007 and com.github.fge.btf to 1.2.0.redhat-00007\nJBEAP-20368 - (7.3.z) Upgrade Bootable JAR Maven plugin to 2.0.1.Final\n\n7. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Important: rh-maven35-jackson-databind security update\nAdvisory ID: RHSA-2020:4312-01\nProduct: Red Hat Software Collections\nAdvisory URL: https://access.redhat.com/errata/RHSA-2020:4312\nIssue date: 2020-10-22\nCVE Names: CVE-2020-25649\n====================================================================\n1. Summary:\n\nAn update for rh-maven35-jackson-databind is now available for Red Hat\nSoftware Collections. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch\nRed Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch\n\n3. Description:\n\nThe jackson-databind package provides general data-binding functionality\nfor Jackson, which works on top of Jackson core streaming API. \n\nSecurity Fix(es):\n\n* jackson-databind: FasterXML DOMDeserializer insecure entity expansion is\nvulnerable to XML external entity (XXE) (CVE-2020-25649)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Package List:\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):\n\nSource:\nrh-maven35-jackson-databind-2.7.6-2.12.el7.src.rpm\n\nnoarch:\nrh-maven35-jackson-databind-2.7.6-2.12.el7.noarch.rpm\nrh-maven35-jackson-databind-javadoc-2.7.6-2.12.el7.noarch.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):\n\nSource:\nrh-maven35-jackson-databind-2.7.6-2.12.el7.src.rpm\n\nnoarch:\nrh-maven35-jackson-databind-2.7.6-2.12.el7.noarch.rpm\nrh-maven35-jackson-databind-javadoc-2.7.6-2.12.el7.noarch.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6):\n\nSource:\nrh-maven35-jackson-databind-2.7.6-2.12.el7.src.rpm\n\nnoarch:\nrh-maven35-jackson-databind-2.7.6-2.12.el7.noarch.rpm\nrh-maven35-jackson-databind-javadoc-2.7.6-2.12.el7.noarch.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7):\n\nSource:\nrh-maven35-jackson-databind-2.7.6-2.12.el7.src.rpm\n\nnoarch:\nrh-maven35-jackson-databind-2.7.6-2.12.el7.noarch.rpm\nrh-maven35-jackson-databind-javadoc-2.7.6-2.12.el7.noarch.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nrh-maven35-jackson-databind-2.7.6-2.12.el7.src.rpm\n\nnoarch:\nrh-maven35-jackson-databind-2.7.6-2.12.el7.noarch.rpm\nrh-maven35-jackson-databind-javadoc-2.7.6-2.12.el7.noarch.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2020-25649\nhttps://access.redhat.com/security/updates/classification/#important\n\n8. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2020 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBX5G3l9zjgjWX9erEAQgNJw//V6i0MaE6kJf78AmcwlVreSW1RPxOKN/E\nx/K1urqgA74g4anadf8MRodiyk+JgL5Uujh1rGNFzMksL+U8F2XE3C5eZZu+L4lC\nwC+JVh1xKWRSmgVZab6GtQdUL7NvbBu4zl6lVqfdhgV7/24JJVfpvQ+s7X1m0yko\nvL83uZ5YVlvP7bdk4B+MF8CtyjmxOI3DhaJk0L88uTvNIVSSBCKLihQfmT5g7hB0\nVnlYW1ThsnaGOvYSK1mhaWUQv3fw+xIIJ1e6xSlyVAANNI1cRuOS6502fzsn+s89\nHOLUq47hPM+2YQBnj6nZi5KfaA7J+fDQfp0rsMrGzDI92nvG1FO+PhLHU/VdOESL\nRwpy/dCG/Sx1499a0Tziwf1H5Dadfwpu2dIp7yNmPxHtPXUuwNJDoo9zWOggvZoR\n97Syo6dfh2YxFsbshHEiFNH8siFNBsmU5dcDXD/asMNigoiIAW508ojfHhfr5yLc\nr42xHhBPmxnot65DNeQrwjUmibLCef3J3en0uV/OEyTgoaxlqt1Zf1uWUQ6aQxR/\nEnklt1rKx8398R8UB61gRTYftaNX6md3zgWz844meG+cakEA1obWrO2Fau/67lNe\nNqGuFRDGGidSCL2v/WU/49AA7FReEm7wKuR/u0zbH50I4ihH7uR9DkrGvWD4soAe\n/o4+qVFSE74=ygzN\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. See the following advisory for the container images for\nthis release:\n\nhttps://access.redhat.com/errata/RHBA-2021:1427\n\nAll OpenShift Container Platform 4.6 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift Console\nor the CLI oc command. Instructions for upgrading a cluster are available\nat\n\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster\n- -between-minor.html#understanding-upgrade-channels_updating-cluster-between\n- -minor\n\n3. Solution:\n\nFor OpenShift Container Platform 4.6 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel\nease-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.6/updating/updating-cluster\n- -cli.html\n\n4. Description:\n\nRed Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the\nInfinispan project. \n\nThis release of Red Hat Data Grid 7.3.8 serves as a replacement for Red Hat\nData Grid 7.3.7 and includes bug fixes and enhancements, which are\ndescribed in the Release Notes, linked to in the References section of this\nerratum. Solution:\n\nTo install this update, do the following:\n\n1. Download the Data Grid 7.3.8 server patch from the customer portal. See\nthe download link in the References section. Back up your existing Data Grid installation. You should back up\ndatabases, configuration files, and so on. Install the Data Grid 7.3.8 server patch. Refer to the 7.3 Release Notes\nfor patching instructions. Restart Data Grid to ensure the changes take effect. Description:\n\nThe ovirt-engine package provides the Red Hat Virtualization Manager, a\ncentralized management platform that allows system administrators to view\nand manage virtual machines. The Manager provides a comprehensive range of\nfeatures including search capabilities, resource management, live\nmigrations, and virtual infrastructure provisioning. \n\nThe Manager is a JBoss Application Server application that provides several\ninterfaces through which the virtual environment can be accessed and\ninteracted with, including an Administration Portal, a VM Portal, and a\nRepresentational State Transfer (REST) Application Programming Interface\n(API). \n\nBug Fix(es):\n\n* Red Hat Virtualization Manager now requires Ansible 2.9.15. (BZ#1901946)\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1627997 - [RFE] Allow SPM switching if all tasks have finished via REST-API\n1702237 - [RFE] add API for listing disksnapshots under disk resource\n1796231 - VM disk remains in locked state if image transfer (image download) timesout due to inactivity. \n1868114 - RHV-M UI/Webadmin: The \"Disk Snapshots\" tab reflects incorrect \"Creation Date\" information. \n1875951 - Disk hot-unplug fails on engine side with NPE in setDiskVmElements after unplugging from the VM. \n1879655 - [RFE] Implement searching VM's with partial name or case sensitive vm names in VM Portal. \n1880015 - oVirt metrics example Kibana dashboards are broken in Kibana 7.x\n1881115 - RHEL VM icons squashed, please adhere to brand rules\n1881357 - German language greeting page says Red Hat®\n1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)\n1893035 - rhv-log-collector-analyzer: check for double quotes in IPTablesConfigSiteCustom\n1894298 - ModuleNotFoundError: No module named 'ovirt_engine' raised when starting ovirt-engine-dwhd.py in dev env\n1901946 - [RFE] Bump ovirt-engine version lock to the newest Ansible version\n1903385 - RFE: rhv-image-discrepancies should report if the truesize from VDSM has different size in images in the engine. \n1903595 - [PPC] Can't add PPC host to Engine\n\n6", sources: [ { db: "NVD", id: "CVE-2020-25649", }, { db: "JVNDB", id: "JVNDB-2020-014030", }, { db: "VULHUB", id: "VHN-179648", }, { db: "PACKETSTORM", id: "163201", }, { db: "PACKETSTORM", id: "163205", }, { db: "PACKETSTORM", id: "159759", }, { db: "PACKETSTORM", id: "160554", }, { db: "PACKETSTORM", id: "160347", }, { db: "PACKETSTORM", id: "159680", }, { db: "PACKETSTORM", id: "162478", }, { db: "PACKETSTORM", id: "160489", }, { db: "PACKETSTORM", id: "161261", }, ], trust: 2.52, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2020-25649", trust: 2.8, }, { db: "JVNDB", id: "JVNDB-2020-014030", trust: 0.8, }, { db: "PACKETSTORM", id: "163205", trust: 0.2, }, { db: "PACKETSTORM", id: "160347", trust: 0.2, }, { db: "PACKETSTORM", id: "162478", trust: 0.2, }, { db: "PACKETSTORM", id: "160489", trust: 0.2, }, { db: "PACKETSTORM", id: "163201", trust: 0.2, }, { db: "PACKETSTORM", id: "160554", trust: 0.2, }, { db: "PACKETSTORM", id: "159759", trust: 0.2, }, { db: "PACKETSTORM", id: "159680", trust: 0.2, }, { db: "PACKETSTORM", id: "161261", trust: 0.2, }, { db: "PACKETSTORM", id: "160349", trust: 0.1, }, { db: "PACKETSTORM", id: "160346", trust: 0.1, }, { db: "PACKETSTORM", id: "159973", trust: 0.1, }, { db: "PACKETSTORM", id: "162696", trust: 0.1, }, { db: "PACKETSTORM", id: "160348", trust: 0.1, }, { db: "PACKETSTORM", id: "159767", trust: 0.1, }, { db: "PACKETSTORM", id: "162240", trust: 0.1, }, { db: "PACKETSTORM", id: "161766", trust: 0.1, }, { db: "PACKETSTORM", id: "160535", trust: 0.1, }, { db: "CNNVD", id: "CNNVD-202010-622", trust: 0.1, }, { db: "VULHUB", id: "VHN-179648", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-179648", }, { db: "JVNDB", id: "JVNDB-2020-014030", }, { db: "PACKETSTORM", id: "163201", }, { db: "PACKETSTORM", id: "163205", }, { db: "PACKETSTORM", id: "159759", }, { db: "PACKETSTORM", id: "160554", }, { db: "PACKETSTORM", id: "160347", }, { db: "PACKETSTORM", id: "159680", }, { db: "PACKETSTORM", id: "162478", }, { db: "PACKETSTORM", id: "160489", }, { db: "PACKETSTORM", id: "161261", }, { db: "NVD", id: "CVE-2020-25649", }, ], }, id: "VAR-202012-1529", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VULHUB", id: "VHN-179648", }, ], trust: 0.01, }, last_update_date: "2024-11-29T21:28:54.682000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "hitachi-sec-2021-111", trust: 0.8, url: "https://github.com/FasterXML/jackson-databind/issues/2589", }, ], sources: [ { db: "JVNDB", id: "JVNDB-2020-014030", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-611", trust: 1.1, }, { problemtype: "XML Improper restrictions on external entity references (CWE-611) [ Other ]", trust: 0.8, }, ], sources: [ { db: "VULHUB", id: "VHN-179648", }, { db: "JVNDB", id: "JVNDB-2020-014030", }, { db: "NVD", id: "CVE-2020-25649", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 1.7, url: "https://nvd.nist.gov/vuln/detail/cve-2020-25649", }, { trust: 1.1, url: "https://security.netapp.com/advisory/ntap-20210108-0007/", }, { trust: 1.1, url: "https://bugzilla.redhat.com/show_bug.cgi?id=1887664", }, { trust: 1.1, url: "https://github.com/fasterxml/jackson-databind/issues/2589", }, { trust: 1.1, url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpuapr2021.html", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { trust: 1, url: "https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb%40%3creviews.iotdb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402%40%3ccommits.karaf.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042%40%3creviews.iotdb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949%40%3cissues.hive.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304%40%3cdev.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4%40%3cnotifications.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc%40%3cissues.hive.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60%40%3creviews.iotdb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3%40%3cuser.spark.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8%40%3cnotifications.iotdb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7%40%3cissues.hive.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07%40%3ccommits.iotdb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a%40%3cnotifications.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda%40%3ccommits.druid.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1%40%3cissues.hive.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3cdev.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6x2ut4x6m7dlqyboohmxbwgyj65rl2ct/", }, { trust: 1, url: "https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080%40%3cusers.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3cusers.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080%40%3cdev.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304%40%3cusers.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34%40%3cissues.hive.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb%40%3ccommits.karaf.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3cusers.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd%40%3cissues.hive.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22%40%3ccommits.karaf.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805%40%3cnotifications.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386%40%3ccommits.turbine.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7%40%3ccommits.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d%40%3cissues.hive.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00%40%3cissues.hive.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61%40%3cdev.knox.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0%40%3cdev.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d%40%3ccommits.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1%40%3ccommits.karaf.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1%40%3cdev.hive.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5%40%3ccommits.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524%40%3cissues.hive.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3cdev.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb%40%3cdev.knox.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b%40%3cissues.hive.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a%40%3ccommits.tomee.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc%40%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.9, url: "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3cdev.kafka.apache.org%3e", }, { trust: 0.9, url: "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3cusers.kafka.apache.org%3e", }, { trust: 0.9, url: "https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc@%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.9, url: "https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d@%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.9, url: "https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7@%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.9, url: "https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5@%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.9, url: "https://access.redhat.com/security/cve/cve-2020-25649", }, { trust: 0.9, url: "https://access.redhat.com/security/team/contact/", }, { trust: 0.9, url: "https://bugzilla.redhat.com/):", }, { trust: 0.6, url: "https://www.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.5, url: "https://access.redhat.com/security/updates/classification/#important", }, { trust: 0.3, url: "https://listman.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.3, url: "https://access.redhat.com/security/team/key/", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21350", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21341", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-26258", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21347", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21349", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21341", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21342", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21351", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21345", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-26259", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21342", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21344", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-26258", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21348", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21348", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21344", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21349", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-11988", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-11988", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21350", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21346", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21347", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21345", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21343", }, { trust: 0.2, url: "https://access.redhat.com/security/updates/classification/#moderate", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21343", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21346", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21351", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-26259", }, { trust: 0.2, url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/", }, { trust: 0.2, url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-25638", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-25638", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-25644", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-25644", }, { trust: 0.2, url: "https://access.redhat.com/articles/11258", }, { trust: 0.2, url: "https://access.redhat.com/security/updates/classification/#low", }, { trust: 0.1, url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6x2ut4x6m7dlqyboohmxbwgyj65rl2ct/", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda@%3ccommits.druid.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3@%3cissues.flink.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd@%3cissues.flink.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1@%3cdev.hive.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d@%3cissues.hive.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd@%3cissues.hive.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34@%3cissues.hive.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b@%3cissues.hive.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7@%3cissues.hive.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00@%3cissues.hive.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1@%3cissues.hive.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524@%3cissues.hive.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc@%3cissues.hive.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949@%3cissues.hive.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07@%3ccommits.iotdb.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8@%3cnotifications.iotdb.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60@%3creviews.iotdb.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042@%3creviews.iotdb.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb@%3creviews.iotdb.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3cdev.kafka.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3cdev.kafka.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3cdev.kafka.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130@%3cjira.kafka.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1@%3cjira.kafka.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca@%3cjira.kafka.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d@%3cjira.kafka.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6@%3cjira.kafka.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54@%3cjira.kafka.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956@%3cjira.kafka.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2@%3cjira.kafka.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b@%3cjira.kafka.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e@%3cjira.kafka.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71@%3cjira.kafka.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3cusers.kafka.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3cusers.kafka.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3cusers.kafka.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402@%3ccommits.karaf.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb@%3ccommits.karaf.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1@%3ccommits.karaf.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22@%3ccommits.karaf.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb@%3cdev.knox.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61@%3cdev.knox.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3@%3cuser.spark.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a@%3ccommits.tomee.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386@%3ccommits.turbine.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0@%3cdev.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:2475", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:2476", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=appplatform&downloadtype=securitypatches&version=7.3", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2020:4402", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_build_of_thorntail/2.7/html/release_notes_for_thorntail_2.7/", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-14299", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-14299", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2020:5361", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-14338", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-14338", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product\\xcatrhoar.thorntail&version=2.7.2", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-14340", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-14340", }, { trust: 0.1, url: "https://issues.jboss.org/):", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2020:5340", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2020:4312", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhba-2021:1427", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-2163", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-27363", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-20305", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-3347", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:1429", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-27364", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-27365", }, { trust: 0.1, url: "https://docs.openshift.com/container-platform/4.6/updating/updating-cluster", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-27363", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-3447", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-3447", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-3347", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-27365", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-27364", }, { trust: 0.1, url: "https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-20305", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-2163", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2020:5410", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product\\xdata.grid&downloadtype=securitypatches&version=7.3", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/", }, { trust: 0.1, url: "https://access.redhat.com/articles/2974891", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:0381", }, ], sources: [ { db: "VULHUB", id: "VHN-179648", }, { db: "JVNDB", id: "JVNDB-2020-014030", }, { db: "PACKETSTORM", id: "163201", }, { db: "PACKETSTORM", id: "163205", }, { db: "PACKETSTORM", id: "159759", }, { db: "PACKETSTORM", id: "160554", }, { db: "PACKETSTORM", id: "160347", }, { db: "PACKETSTORM", id: "159680", }, { db: "PACKETSTORM", id: "162478", }, { db: "PACKETSTORM", id: "160489", }, { db: "PACKETSTORM", id: "161261", }, { db: "NVD", id: "CVE-2020-25649", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "VULHUB", id: "VHN-179648", }, { db: "JVNDB", id: "JVNDB-2020-014030", }, { db: "PACKETSTORM", id: "163201", }, { db: "PACKETSTORM", id: "163205", }, { db: "PACKETSTORM", id: "159759", }, { db: "PACKETSTORM", id: "160554", }, { db: "PACKETSTORM", id: "160347", }, { db: "PACKETSTORM", id: "159680", }, { db: "PACKETSTORM", id: "162478", }, { db: "PACKETSTORM", id: "160489", }, { db: "PACKETSTORM", id: "161261", }, { db: "NVD", id: "CVE-2020-25649", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2020-12-03T00:00:00", db: "VULHUB", id: "VHN-179648", }, { date: "2021-07-20T00:00:00", db: "JVNDB", id: "JVNDB-2020-014030", }, { date: "2021-06-17T18:16:15", db: "PACKETSTORM", id: "163201", }, { date: "2021-06-17T18:23:27", db: "PACKETSTORM", id: "163205", }, { date: "2020-10-29T14:19:38", db: "PACKETSTORM", id: "159759", }, { date: "2020-12-16T18:10:10", db: "PACKETSTORM", id: "160554", }, { date: "2020-12-03T20:27:20", db: "PACKETSTORM", id: "160347", }, { date: "2020-10-22T17:19:48", db: "PACKETSTORM", id: "159680", }, { date: "2021-05-06T01:15:29", db: "PACKETSTORM", id: "162478", }, { date: "2020-12-14T18:06:53", db: "PACKETSTORM", id: "160489", }, { date: "2021-02-02T16:13:56", db: "PACKETSTORM", id: "161261", }, { date: "2020-12-03T17:15:12.503000", db: "NVD", id: "CVE-2020-25649", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2023-02-02T00:00:00", db: "VULHUB", id: "VHN-179648", }, { date: "2021-07-20T04:50:00", db: "JVNDB", id: "JVNDB-2020-014030", }, { date: "2024-11-21T05:18:20.343000", db: "NVD", id: "CVE-2020-25649", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "PACKETSTORM", id: "160554", }, { db: "PACKETSTORM", id: "160347", }, ], trust: 0.2, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "FasterXML Jackson Databind In XML External entity vulnerabilities", sources: [ { db: "JVNDB", id: "JVNDB-2020-014030", }, ], trust: 0.8, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "code execution", sources: [ { db: "PACKETSTORM", id: "163201", }, { db: "PACKETSTORM", id: "163205", }, ], trust: 0.2, }, }
var-202103-1564
Vulnerability from variot
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest, HttpContent, etc.) via Http2StreamFrameToHttpObjectCodecand then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: HTTP2MultiplexCodec or Http2FrameCodec is used, Http2StreamFrameToHttpObjectCodec is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom ChannelInboundHandler that is put in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.3.7 security update on RHEL 8 Advisory ID: RHSA-2021:2048-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2021:2048 Issue date: 2021-05-19 CVE Names: CVE-2020-13936 CVE-2021-21290 CVE-2021-21295 ==================================================================== 1. Summary:
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat JBoss EAP 7.3 for BaseOS-8 - noarch
- Description:
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.3.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.7 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
-
velocity: arbitrary code execution when attacker is able to modify templates (CVE-2020-13936)
-
netty: Information disclosure via the local system temporary directory (CVE-2021-21290)
-
netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
Before applying this update, ensure all previously released errata relevant to your system have been applied.
For details about how to apply this update, see:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory 1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation 1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates
- JIRA issues fixed (https://issues.jboss.org/):
JBEAP-20478 - (7.3.z) Upgrade artemis-wildfly-integration from 1.0.2 to 1.0.4 JBEAP-20870 - Tracker bug for the EAP 7.3.7 release for RHEL-8 JBEAP-20927 - GSS Upgrade weld from 3.1.4.Final to 3.1.6.Final and weld-api to 3.1.0.SP3 JBEAP-20935 - GSS Upgrade generic jms from 2.0.8.Final-redhat-00001 to 2.0.9.Final-redhat-00001 JBEAP-20940 - (7.3.z) Upgrade WildFly Elytron from 1.10.11.Final-redhat-00001 to 1.10.12.Final-redhat-00001 JBEAP-21093 - [GSS] (7.3.z) Upgrade undertow from 2.0.34.SP1-redhat-00001 to 2.0.35.SP1-redhat-00001 JBEAP-21094 - (7.3.z) Upgrade WildFly Core from 10.1.18.Final-redhat-00001 to 10.1.19.Final-redhat-00001 JBEAP-21095 - GSS Upgrade HAL from 3.2.13.Final-redhat-00001 to 3.2.14.Final-redhat-00001 JBEAP-21096 - (7.3.z) (Core) Upgrade xalan from 2.7.1.jbossorg-2 to 2.7.1.jbossorg-5 JBEAP-21121 - (7.3.z) Upgrade wildfly-http-client from 1.0.25.Final-redhat-00001 to 1.0.26.Final-redhat-00001 JBEAP-21185 - GSS ISPN-12807 - Simple cache does not update eviction statistics JBEAP-21186 - GSS Upgrade Infinispan from 9.4.19.Final-redhat-00001 to 9.4.22.Final-redhat-00001 JBEAP-21193 - (7.3.z) Upgrade RESTEasy from 3.11.3.Final-redhat-00001 to 3.11.4.Final-redhat-00001 JBEAP-21196 - GSS Upgrade JBoss Marshalling from 2.0.10.Final to 2.0.11.Final JBEAP-21203 - GSS Upgrade jgroups-kubernetes from 1.0.13.Final to 1.0.16.Final JBEAP-21262 - GSS Upgrade yasson from 1.0.5.redhat-00001 to 1.0.9.redhat-00001 JBEAP-21279 - (7.3.z) Upgrade xalan from 2.7.1.redhat-12 to 2.7.1.redhat-13 JBEAP-21312 - GSS Upgrade Ironjacamar from 1.4.27 to 1.4.30 JBEAP-21322 - GSS 7.3 Update 6 patch breaks samesite-cookie in Undertow JBEAP-21351 - (7.3.z) Upgrade WildFly Core from 10.1.19.Final-redhat-00001 to 10.1.20.Final-redhat-00001 JBEAP-21390 - (7.3.z) Upgrade Bouncy Castle from 1.68.0.redhat-00001 to 1.68.0.redhat-00005 JBEAP-21479 - (7.3.z) Upgrade mod_cluster from 1.4.3.Final-redhat-00001 to 1.4.3.Final-redhat-00002
- Package List:
Red Hat JBoss EAP 7.3 for BaseOS-8:
Source: eap7-artemis-wildfly-integration-1.0.4-1.redhat_00001.1.el8eap.src.rpm eap7-bouncycastle-1.68.0-2.redhat_00005.1.el8eap.src.rpm eap7-hal-console-3.2.14-1.Final_redhat_00001.1.el8eap.src.rpm eap7-infinispan-9.4.22-3.Final_redhat_00001.1.el8eap.src.rpm eap7-ironjacamar-1.4.30-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-genericjms-2.0.9-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-marshalling-2.0.11-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-server-migration-1.7.2-6.Final_redhat_00007.1.el8eap.src.rpm eap7-jboss-weld-3.1-api-3.1.0-6.SP3_redhat_00001.1.el8eap.src.rpm eap7-jgroups-kubernetes-1.0.16-1.Final_redhat_00001.1.el8eap.src.rpm eap7-mod_cluster-1.4.3-2.Final_redhat_00002.1.el8eap.src.rpm eap7-netty-4.1.60-1.Final_redhat_00001.1.el8eap.src.rpm eap7-resteasy-3.11.4-1.Final_redhat_00001.1.el8eap.src.rpm eap7-undertow-2.0.35-1.SP1_redhat_00001.1.el8eap.src.rpm eap7-velocity-2.3.0-1.redhat_00001.1.el8eap.src.rpm eap7-weld-core-3.1.6-1.Final_redhat_00001.1.el8eap.src.rpm eap7-wildfly-7.3.7-1.GA_redhat_00002.1.el8eap.src.rpm eap7-wildfly-elytron-1.10.12-1.Final_redhat_00001.1.el8eap.src.rpm eap7-wildfly-http-client-1.0.26-1.Final_redhat_00001.1.el8eap.src.rpm eap7-xalan-j2-2.7.1-36.redhat_00013.1.el8eap.src.rpm eap7-yasson-1.0.9-1.redhat_00001.1.el8eap.src.rpm
noarch: eap7-artemis-wildfly-integration-1.0.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-bouncycastle-1.68.0-2.redhat_00005.1.el8eap.noarch.rpm eap7-bouncycastle-mail-1.68.0-2.redhat_00005.1.el8eap.noarch.rpm eap7-bouncycastle-pkix-1.68.0-2.redhat_00005.1.el8eap.noarch.rpm eap7-bouncycastle-prov-1.68.0-2.redhat_00005.1.el8eap.noarch.rpm eap7-hal-console-3.2.14-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-9.4.22-3.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-cachestore-jdbc-9.4.22-3.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-cachestore-remote-9.4.22-3.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-client-hotrod-9.4.22-3.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-commons-9.4.22-3.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-core-9.4.22-3.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-commons-9.4.22-3.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-spi-9.4.22-3.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-v53-9.4.22-3.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-1.4.30-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-api-1.4.30-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-impl-1.4.30-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-spi-1.4.30-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-core-api-1.4.30-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-core-impl-1.4.30-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-deployers-common-1.4.30-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-jdbc-1.4.30-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-validator-1.4.30-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-genericjms-2.0.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-marshalling-2.0.11-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-marshalling-river-2.0.11-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-server-migration-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-cli-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-core-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap6.4-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.0-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.1-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.2-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.3-server-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly13.0-server-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly14.0-server-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly15.0-server-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly16.0-server-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly17.0-server-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly18.0-server-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm eap7-jboss-weld-3.1-api-3.1.0-6.SP3_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-weld-3.1-api-weld-api-3.1.0-6.SP3_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-weld-3.1-api-weld-spi-3.1.0-6.SP3_redhat_00001.1.el8eap.noarch.rpm eap7-jgroups-kubernetes-1.0.16-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-mod_cluster-1.4.3-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-netty-4.1.60-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-netty-all-4.1.60-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-atom-provider-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-cdi-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-client-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-client-microprofile-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-crypto-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-jackson-provider-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-jackson2-provider-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-jaxb-provider-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-jaxrs-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-jettison-provider-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-jose-jwt-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-jsapi-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-json-binding-provider-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-json-p-provider-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-multipart-provider-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-rxjava2-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-spring-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-validator-provider-11-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-resteasy-yaml-provider-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-undertow-2.0.35-1.SP1_redhat_00001.1.el8eap.noarch.rpm eap7-velocity-2.3.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-velocity-engine-core-2.3.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-weld-core-3.1.6-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-weld-core-impl-3.1.6-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-weld-core-jsf-3.1.6-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-weld-ejb-3.1.6-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-weld-jta-3.1.6-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-weld-probe-core-3.1.6-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-weld-web-3.1.6-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-7.3.7-1.GA_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-elytron-1.10.12-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-elytron-tool-1.10.12-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-client-common-1.0.26-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-ejb-client-1.0.26-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-naming-client-1.0.26-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-transaction-client-1.0.26-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-javadocs-7.3.7-1.GA_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-modules-7.3.7-1.GA_redhat_00002.1.el8eap.noarch.rpm eap7-xalan-j2-2.7.1-36.redhat_00013.1.el8eap.noarch.rpm eap7-yasson-1.0.9-1.redhat_00001.1.el8eap.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2020-13936 https://access.redhat.com/security/cve/CVE-2021-21290 https://access.redhat.com/security/cve/CVE-2021-21295 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYKUxBtzjgjWX9erEAQjYDQ//cENkHaSyzbHP4FA1ZFORHBXGr/U/3I/l 1UhCgtGU72ugS2y+iwmWZ4BZxNG+zvjxVQO86J70NBdK2dgNGpRoZv0KOQXtlgd4 wxsLRX/ogHdSvXn+Jfah7U6kH9PFRwuxC2QrHwAjYaBJkjkf+moNhK+eBZx9Jj39 lioCUyrUmiWdwk9JJDeEzLL8fN0ihdrrHH3G9GotyMEPA5AQMU3PUEqEWNu1t1bi c5iWip8ntlFHAZPNlvX1OkCjl3XKmU4xtzxvFeMBNS3/jVts6t/jjaVz3xDK0e0d eFTtljwuCrFdZnPsobMSBiyoFJixN2mKjzxt5cS0AaRQwn/vUdag0/wHooH2YCa5 NrJXF+lCmR8sF7lh+jgkInV/GMKzP3Apyl6La30emOKfmovGW8EFE8NC73GyXuch T0b6LY+htveMef2bEXzWBBqZzVYmcp7CllmSeiCezd6kIcAu2JSmwWOOyM1XmzS9 ViRPXzEA49qU/MxNvpCbMXjtLmrvWBTScGaAOohJOvFhhV7xZCEPkyqtGKT3yGlC +YTinFgVOQJAcYJiH1A8drbPB6I2Vdhr+Kwsa5giaEdUWH9RolAnLO+/6Tkgc0dd b3M4+U0Ut8DhovNeS8zZewZdJo3uQa6Pq+lxkxvOtZYBEPaE2HRq1xhevAEQdHgR qjkjiBZ8CsU=CM/N -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Description:
Red Hat Data Grid is a distributed, in-memory data store. Solution:
Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version.
The References section of this erratum contains a download link (you must log in to download the update). The purpose of this text-only errata is to inform you about the security issues fixed in this release. Solution:
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
Installation instructions are available from the Fuse 7.10.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/
For the stable distribution (buster), these problems have been fixed in version 1:4.1.33-1+deb10u2.
We recommend that you upgrade your netty packages.
For the detailed security status of netty please refer to its security tracker page at: https://security-tracker.debian.org/tracker/netty
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmBrXn0ACgkQEMKTtsN8 TjYiIQ/+M3dHpXdXRxZlx12OSJNsJoZa52/7uKhM9Vg0HhdCYnq7RjXTI2zZmUu7 VbL/F1ixPFgHWZpFIwHPTxZ4qk5+qQKYj7JyU1g+NyL9MkVsAW7ccYj3gbp3Kgk6 bE2GEwfh0qSKDgolflLCudGsqF1J54T65kO5oQ+Gtbx/8+NJ0YrVrHsmG1O4IMHQ 6oK/znY6CmQtUSY1p8DCNTWp63hZYpGzg9Umv/y9TaYm3QeG1BNz3tQz8uaGZQWq LihkaTSpJoo7ezNUFYinaRECylpEf7MHgK+uYkJ0MZrZ+2wyMC6V0BATVwF2Aj7X VMrRBJTSf20z5u/k0m+y9k8cR8CcR3sWVo/7mpRJAIsvnyMQwKBmxjHSlVfzOqYK 91NB7OSi/ZDKOOsdQ5oW337FPQolCXl2DOe2UW9Z1K9XFs11VplsFxMkrzZtiwba dXhq6odVZwQfzjiWGj0yFftfJSAAs9B0I1L1EqW2QR7sN25YA1OosYsc5iYvUXD7 mhjU1RtqsXK3jI9TjGmXos+6Yj36iPncNwXBL4AKKPapV5qm6mHQkXTowW1NM5vu 8NokTjKtuixgb08CAQHNe202TpQ9kGHNTe2FDKRNFQrlTaoxt2DlmHbDiLn6i1Ue k4HImGqrUw9venxQ/vPZjTW6UaTbz0D9BPQcb9ApBOAgydEjJqE= =6i6I -----END PGP SIGNATURE-----
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-202103-1564", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "oncommand api services", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "netty", scope: "lt", trust: 1, vendor: "netty", version: "4.1.60", }, { model: "kudu", scope: "lt", trust: 1, vendor: "apache", version: "1.16.0", }, { model: "communications cloud native core policy", scope: "eq", trust: 1, vendor: "oracle", version: "1.14.0", }, { model: "quarkus", scope: "lte", trust: 1, vendor: "quarkus", version: "1.13.7", }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "10.0", }, { model: "zookeeper", scope: "eq", trust: 1, vendor: "apache", version: "3.5.9", }, { model: "oncommand workflow automation", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "netty", scope: null, trust: 0.8, vendor: "the netty", version: null, }, { model: "oncommand api services", scope: null, trust: 0.8, vendor: "netapp", version: null, }, { model: "gnu/linux", scope: null, trust: 0.8, vendor: "debian", version: null, }, { model: "quarkus", scope: null, trust: 0.8, vendor: "quarkus", version: null, }, { model: "kudu", scope: null, trust: 0.8, vendor: "apache", version: null, }, { model: "oncommand workflow automation", scope: null, trust: 0.8, vendor: "netapp", version: null, }, ], sources: [ { db: "JVNDB", id: "JVNDB-2021-004681", }, { db: "NVD", id: "CVE-2021-21295", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Red Hat", sources: [ { db: "PACKETSTORM", id: "162716", }, { db: "PACKETSTORM", id: "162719", }, { db: "PACKETSTORM", id: "162839", }, { db: "PACKETSTORM", id: "165294", }, { db: "PACKETSTORM", id: "164276", }, { db: "PACKETSTORM", id: "164275", }, { db: "CNNVD", id: "CNNVD-202103-713", }, ], trust: 1.2, }, cve: "CVE-2021-21295", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "NONE", exploitabilityScore: 4.9, id: "CVE-2021-21295", impactScore: 2.9, integrityImpact: "PARTIAL", severity: "LOW", trust: 1.9, vectorString: "AV:N/AC:H/Au:N/C:N/I:P/A:N", version: "2.0", }, { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", author: "VULHUB", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", exploitabilityScore: 8.6, id: "VHN-379190", impactScore: 2.9, integrityImpact: "PARTIAL", severity: "MEDIUM", trust: 0.1, vectorString: "AV:N/AC:M/AU:N/C:N/I:P/A:N", version: "2.0", }, ], cvssV3: [ { attackComplexity: "HIGH", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", exploitabilityScore: 2.2, id: "CVE-2021-21295", impactScore: 3.6, integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 2, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, { attackComplexity: "High", attackVector: "Network", author: "OTHER", availabilityImpact: "None", baseScore: 5.9, baseSeverity: "Medium", confidentialityImpact: "None", exploitabilityScore: null, id: "JVNDB-2021-004681", impactScore: null, integrityImpact: "High", privilegesRequired: "None", scope: "Unchanged", trust: 0.8, userInteraction: "None", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2021-21295", trust: 1, value: "MEDIUM", }, { author: "security-advisories@github.com", id: "CVE-2021-21295", trust: 1, value: "MEDIUM", }, { author: "NVD", id: "CVE-2021-21295", trust: 0.8, value: "Medium", }, { author: "CNNVD", id: "CNNVD-202103-713", trust: 0.6, value: "MEDIUM", }, { author: "VULHUB", id: "VHN-379190", trust: 0.1, value: "MEDIUM", }, { author: "VULMON", id: "CVE-2021-21295", trust: 0.1, value: "LOW", }, ], }, ], sources: [ { db: "VULHUB", id: "VHN-379190", }, { db: "VULMON", id: "CVE-2021-21295", }, { db: "JVNDB", id: "JVNDB-2021-004681", }, { db: "CNNVD", id: "CNNVD-202103-713", }, { db: "NVD", id: "CVE-2021-21295", }, { db: "NVD", id: "CVE-2021-21295", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.3.7 security update on RHEL 8\nAdvisory ID: RHSA-2021:2048-01\nProduct: Red Hat JBoss Enterprise Application Platform\nAdvisory URL: https://access.redhat.com/errata/RHSA-2021:2048\nIssue date: 2021-05-19\nCVE Names: CVE-2020-13936 CVE-2021-21290 CVE-2021-21295\n====================================================================\n1. Summary:\n\nA security update is now available for Red Hat JBoss Enterprise Application\nPlatform 7.3 for Red Hat Enterprise Linux 8. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat JBoss EAP 7.3 for BaseOS-8 - noarch\n\n3. Description:\n\nRed Hat JBoss Enterprise Application Platform 7 is a platform for Java\napplications based on the WildFly application runtime. \n\nThis release of Red Hat JBoss Enterprise Application Platform 7.3.7 serves\nas a replacement for Red Hat JBoss Enterprise Application Platform 7.3.6,\nand includes bug fixes and enhancements. See the Red Hat JBoss Enterprise\nApplication Platform 7.3.7 Release Notes for information about the most\nsignificant bug fixes and enhancements included in this release. \n\nSecurity Fix(es):\n\n* velocity: arbitrary code execution when attacker is able to modify\ntemplates (CVE-2020-13936)\n\n* netty: Information disclosure via the local system temporary directory\n(CVE-2021-21290)\n\n* netty: possible request smuggling in HTTP/2 due missing validation\n(CVE-2021-21295)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nBefore applying this update, ensure all previously released errata relevant\nto your system have been applied. \n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory\n1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation\n1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates\n\n6. JIRA issues fixed (https://issues.jboss.org/):\n\nJBEAP-20478 - (7.3.z) Upgrade artemis-wildfly-integration from 1.0.2 to 1.0.4\nJBEAP-20870 - Tracker bug for the EAP 7.3.7 release for RHEL-8\nJBEAP-20927 - [GSS](7.3.z) Upgrade weld from 3.1.4.Final to 3.1.6.Final and weld-api to 3.1.0.SP3\nJBEAP-20935 - [GSS](7.3.z) Upgrade generic jms from 2.0.8.Final-redhat-00001 to 2.0.9.Final-redhat-00001\nJBEAP-20940 - (7.3.z) Upgrade WildFly Elytron from 1.10.11.Final-redhat-00001 to 1.10.12.Final-redhat-00001\nJBEAP-21093 - [GSS] (7.3.z) Upgrade undertow from 2.0.34.SP1-redhat-00001 to 2.0.35.SP1-redhat-00001\nJBEAP-21094 - (7.3.z) Upgrade WildFly Core from 10.1.18.Final-redhat-00001 to 10.1.19.Final-redhat-00001\nJBEAP-21095 - [GSS](7.3.z) Upgrade HAL from 3.2.13.Final-redhat-00001 to 3.2.14.Final-redhat-00001\nJBEAP-21096 - (7.3.z) (Core) Upgrade xalan from 2.7.1.jbossorg-2 to 2.7.1.jbossorg-5\nJBEAP-21121 - (7.3.z) Upgrade wildfly-http-client from 1.0.25.Final-redhat-00001 to 1.0.26.Final-redhat-00001\nJBEAP-21185 - [GSS](7.3.z) ISPN-12807 - Simple cache does not update eviction statistics\nJBEAP-21186 - [GSS](7.3.z) Upgrade Infinispan from 9.4.19.Final-redhat-00001 to 9.4.22.Final-redhat-00001\nJBEAP-21193 - (7.3.z) Upgrade RESTEasy from 3.11.3.Final-redhat-00001 to 3.11.4.Final-redhat-00001\nJBEAP-21196 - [GSS](7.3.z) Upgrade JBoss Marshalling from 2.0.10.Final to 2.0.11.Final\nJBEAP-21203 - [GSS](7.3.z) Upgrade jgroups-kubernetes from 1.0.13.Final to 1.0.16.Final\nJBEAP-21262 - [GSS](7.3.z) Upgrade yasson from 1.0.5.redhat-00001 to 1.0.9.redhat-00001\nJBEAP-21279 - (7.3.z) Upgrade xalan from 2.7.1.redhat-12 to 2.7.1.redhat-13\nJBEAP-21312 - [GSS](7.3.z) Upgrade Ironjacamar from 1.4.27 to 1.4.30\nJBEAP-21322 - [GSS](7.3.z) 7.3 Update 6 patch breaks samesite-cookie in Undertow\nJBEAP-21351 - (7.3.z) Upgrade WildFly Core from 10.1.19.Final-redhat-00001 to 10.1.20.Final-redhat-00001\nJBEAP-21390 - (7.3.z) Upgrade Bouncy Castle from 1.68.0.redhat-00001 to 1.68.0.redhat-00005\nJBEAP-21479 - (7.3.z) Upgrade mod_cluster from 1.4.3.Final-redhat-00001 to 1.4.3.Final-redhat-00002\n\n7. Package List:\n\nRed Hat JBoss EAP 7.3 for BaseOS-8:\n\nSource:\neap7-artemis-wildfly-integration-1.0.4-1.redhat_00001.1.el8eap.src.rpm\neap7-bouncycastle-1.68.0-2.redhat_00005.1.el8eap.src.rpm\neap7-hal-console-3.2.14-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-infinispan-9.4.22-3.Final_redhat_00001.1.el8eap.src.rpm\neap7-ironjacamar-1.4.30-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-jboss-genericjms-2.0.9-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-jboss-marshalling-2.0.11-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-jboss-server-migration-1.7.2-6.Final_redhat_00007.1.el8eap.src.rpm\neap7-jboss-weld-3.1-api-3.1.0-6.SP3_redhat_00001.1.el8eap.src.rpm\neap7-jgroups-kubernetes-1.0.16-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-mod_cluster-1.4.3-2.Final_redhat_00002.1.el8eap.src.rpm\neap7-netty-4.1.60-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-resteasy-3.11.4-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-undertow-2.0.35-1.SP1_redhat_00001.1.el8eap.src.rpm\neap7-velocity-2.3.0-1.redhat_00001.1.el8eap.src.rpm\neap7-weld-core-3.1.6-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-wildfly-7.3.7-1.GA_redhat_00002.1.el8eap.src.rpm\neap7-wildfly-elytron-1.10.12-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-wildfly-http-client-1.0.26-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-xalan-j2-2.7.1-36.redhat_00013.1.el8eap.src.rpm\neap7-yasson-1.0.9-1.redhat_00001.1.el8eap.src.rpm\n\nnoarch:\neap7-artemis-wildfly-integration-1.0.4-1.redhat_00001.1.el8eap.noarch.rpm\neap7-bouncycastle-1.68.0-2.redhat_00005.1.el8eap.noarch.rpm\neap7-bouncycastle-mail-1.68.0-2.redhat_00005.1.el8eap.noarch.rpm\neap7-bouncycastle-pkix-1.68.0-2.redhat_00005.1.el8eap.noarch.rpm\neap7-bouncycastle-prov-1.68.0-2.redhat_00005.1.el8eap.noarch.rpm\neap7-hal-console-3.2.14-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-9.4.22-3.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-cachestore-jdbc-9.4.22-3.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-cachestore-remote-9.4.22-3.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-client-hotrod-9.4.22-3.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-commons-9.4.22-3.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-core-9.4.22-3.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-hibernate-cache-commons-9.4.22-3.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-hibernate-cache-spi-9.4.22-3.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-hibernate-cache-v53-9.4.22-3.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-ironjacamar-1.4.30-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-ironjacamar-common-api-1.4.30-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-ironjacamar-common-impl-1.4.30-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-ironjacamar-common-spi-1.4.30-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-ironjacamar-core-api-1.4.30-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-ironjacamar-core-impl-1.4.30-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-ironjacamar-deployers-common-1.4.30-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-ironjacamar-jdbc-1.4.30-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-ironjacamar-validator-1.4.30-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-jboss-genericjms-2.0.9-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-jboss-marshalling-2.0.11-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-jboss-marshalling-river-2.0.11-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-jboss-server-migration-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-cli-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-core-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-eap6.4-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-eap7.0-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-eap7.1-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-eap7.2-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-eap7.3-server-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly10.0-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly10.1-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly11.0-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly12.0-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly13.0-server-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly14.0-server-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly15.0-server-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly16.0-server-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly17.0-server-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly18.0-server-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly8.2-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly9.0-1.7.2-6.Final_redhat_00007.1.el8eap.noarch.rpm\neap7-jboss-weld-3.1-api-3.1.0-6.SP3_redhat_00001.1.el8eap.noarch.rpm\neap7-jboss-weld-3.1-api-weld-api-3.1.0-6.SP3_redhat_00001.1.el8eap.noarch.rpm\neap7-jboss-weld-3.1-api-weld-spi-3.1.0-6.SP3_redhat_00001.1.el8eap.noarch.rpm\neap7-jgroups-kubernetes-1.0.16-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-mod_cluster-1.4.3-2.Final_redhat_00002.1.el8eap.noarch.rpm\neap7-netty-4.1.60-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-netty-all-4.1.60-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-atom-provider-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-cdi-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-client-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-client-microprofile-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-crypto-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-jackson-provider-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-jackson2-provider-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-jaxb-provider-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-jaxrs-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-jettison-provider-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-jose-jwt-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-jsapi-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-json-binding-provider-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-json-p-provider-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-multipart-provider-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-rxjava2-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-spring-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-validator-provider-11-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-resteasy-yaml-provider-3.11.4-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-undertow-2.0.35-1.SP1_redhat_00001.1.el8eap.noarch.rpm\neap7-velocity-2.3.0-1.redhat_00001.1.el8eap.noarch.rpm\neap7-velocity-engine-core-2.3.0-1.redhat_00001.1.el8eap.noarch.rpm\neap7-weld-core-3.1.6-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-weld-core-impl-3.1.6-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-weld-core-jsf-3.1.6-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-weld-ejb-3.1.6-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-weld-jta-3.1.6-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-weld-probe-core-3.1.6-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-weld-web-3.1.6-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-wildfly-7.3.7-1.GA_redhat_00002.1.el8eap.noarch.rpm\neap7-wildfly-elytron-1.10.12-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-wildfly-elytron-tool-1.10.12-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-wildfly-http-client-common-1.0.26-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-wildfly-http-ejb-client-1.0.26-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-wildfly-http-naming-client-1.0.26-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-wildfly-http-transaction-client-1.0.26-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-wildfly-javadocs-7.3.7-1.GA_redhat_00002.1.el8eap.noarch.rpm\neap7-wildfly-modules-7.3.7-1.GA_redhat_00002.1.el8eap.noarch.rpm\neap7-xalan-j2-2.7.1-36.redhat_00013.1.el8eap.noarch.rpm\neap7-yasson-1.0.9-1.redhat_00001.1.el8eap.noarch.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n8. References:\n\nhttps://access.redhat.com/security/cve/CVE-2020-13936\nhttps://access.redhat.com/security/cve/CVE-2021-21290\nhttps://access.redhat.com/security/cve/CVE-2021-21295\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/\n\n9. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2021 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYKUxBtzjgjWX9erEAQjYDQ//cENkHaSyzbHP4FA1ZFORHBXGr/U/3I/l\n1UhCgtGU72ugS2y+iwmWZ4BZxNG+zvjxVQO86J70NBdK2dgNGpRoZv0KOQXtlgd4\nwxsLRX/ogHdSvXn+Jfah7U6kH9PFRwuxC2QrHwAjYaBJkjkf+moNhK+eBZx9Jj39\nlioCUyrUmiWdwk9JJDeEzLL8fN0ihdrrHH3G9GotyMEPA5AQMU3PUEqEWNu1t1bi\nc5iWip8ntlFHAZPNlvX1OkCjl3XKmU4xtzxvFeMBNS3/jVts6t/jjaVz3xDK0e0d\neFTtljwuCrFdZnPsobMSBiyoFJixN2mKjzxt5cS0AaRQwn/vUdag0/wHooH2YCa5\nNrJXF+lCmR8sF7lh+jgkInV/GMKzP3Apyl6La30emOKfmovGW8EFE8NC73GyXuch\nT0b6LY+htveMef2bEXzWBBqZzVYmcp7CllmSeiCezd6kIcAu2JSmwWOOyM1XmzS9\nViRPXzEA49qU/MxNvpCbMXjtLmrvWBTScGaAOohJOvFhhV7xZCEPkyqtGKT3yGlC\n+YTinFgVOQJAcYJiH1A8drbPB6I2Vdhr+Kwsa5giaEdUWH9RolAnLO+/6Tkgc0dd\nb3M4+U0Ut8DhovNeS8zZewZdJo3uQa6Pq+lxkxvOtZYBEPaE2HRq1xhevAEQdHgR\nqjkjiBZ8CsU=CM/N\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. Description:\n\nRed Hat Data Grid is a distributed, in-memory data store. Solution:\n\nRefer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to\nthis version. \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). The purpose of this text-only errata is to inform you about the\nsecurity issues fixed in this release. Solution:\n\nBefore applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on. \n\nInstallation instructions are available from the Fuse 7.10.0 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/\n\n4. \n\nFor the stable distribution (buster), these problems have been fixed in\nversion 1:4.1.33-1+deb10u2. \n\nWe recommend that you upgrade your netty packages. \n\nFor the detailed security status of netty please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/netty\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmBrXn0ACgkQEMKTtsN8\nTjYiIQ/+M3dHpXdXRxZlx12OSJNsJoZa52/7uKhM9Vg0HhdCYnq7RjXTI2zZmUu7\nVbL/F1ixPFgHWZpFIwHPTxZ4qk5+qQKYj7JyU1g+NyL9MkVsAW7ccYj3gbp3Kgk6\nbE2GEwfh0qSKDgolflLCudGsqF1J54T65kO5oQ+Gtbx/8+NJ0YrVrHsmG1O4IMHQ\n6oK/znY6CmQtUSY1p8DCNTWp63hZYpGzg9Umv/y9TaYm3QeG1BNz3tQz8uaGZQWq\nLihkaTSpJoo7ezNUFYinaRECylpEf7MHgK+uYkJ0MZrZ+2wyMC6V0BATVwF2Aj7X\nVMrRBJTSf20z5u/k0m+y9k8cR8CcR3sWVo/7mpRJAIsvnyMQwKBmxjHSlVfzOqYK\n91NB7OSi/ZDKOOsdQ5oW337FPQolCXl2DOe2UW9Z1K9XFs11VplsFxMkrzZtiwba\ndXhq6odVZwQfzjiWGj0yFftfJSAAs9B0I1L1EqW2QR7sN25YA1OosYsc5iYvUXD7\nmhjU1RtqsXK3jI9TjGmXos+6Yj36iPncNwXBL4AKKPapV5qm6mHQkXTowW1NM5vu\n8NokTjKtuixgb08CAQHNe202TpQ9kGHNTe2FDKRNFQrlTaoxt2DlmHbDiLn6i1Ue\nk4HImGqrUw9venxQ/vPZjTW6UaTbz0D9BPQcb9ApBOAgydEjJqE=\n=6i6I\n-----END PGP SIGNATURE-----\n", sources: [ { db: "NVD", id: "CVE-2021-21295", }, { db: "JVNDB", id: "JVNDB-2021-004681", }, { db: "VULHUB", id: "VHN-379190", }, { db: "VULMON", id: "CVE-2021-21295", }, { db: "PACKETSTORM", id: "162716", }, { db: "PACKETSTORM", id: "162719", }, { db: "PACKETSTORM", id: "162839", }, { db: "PACKETSTORM", id: "165294", }, { db: "PACKETSTORM", id: "164276", }, { db: "PACKETSTORM", id: "164275", }, { db: "PACKETSTORM", id: "169055", }, ], trust: 2.43, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2021-21295", trust: 3.3, }, { db: "PACKETSTORM", id: "162839", trust: 0.8, }, { db: "JVNDB", id: "JVNDB-2021-004681", trust: 0.8, }, { db: "PACKETSTORM", id: "167709", trust: 0.7, }, { db: "PACKETSTORM", id: "162490", trust: 0.7, }, { db: "PACKETSTORM", id: "163517", trust: 0.7, }, { db: "PACKETSTORM", id: "163477", trust: 0.7, }, { db: "PACKETSTORM", id: "165294", trust: 0.7, }, { db: "CS-HELP", id: "SB2021081922", trust: 0.6, }, { db: "CS-HELP", id: "SB2021050706", trust: 0.6, }, { db: "CS-HELP", id: "SB2021100302", trust: 0.6, }, { db: "CS-HELP", id: "SB2021071219", trust: 0.6, }, { db: "PACKETSTORM", id: "164346", trust: 0.6, }, { db: "PACKETSTORM", id: "162714", trust: 0.6, }, { db: "PACKETSTORM", id: "164566", trust: 0.6, }, { db: "PACKETSTORM", id: "162732", trust: 0.6, }, { db: "PACKETSTORM", id: "163922", trust: 0.6, }, { db: "PACKETSTORM", id: "164279", trust: 0.6, }, { db: "PACKETSTORM", id: "162035", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.1821", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.1108", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.2896", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.4253", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.1144", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.3495", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2022.3282", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.3208", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.1755", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.3284", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.2357", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.2416", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.1571", trust: 0.6, }, { db: "CNNVD", id: "CNNVD-202103-713", trust: 0.6, }, { db: "PACKETSTORM", id: "163489", trust: 0.1, }, { db: "PACKETSTORM", id: "163423", trust: 0.1, }, { db: "PACKETSTORM", id: "163483", trust: 0.1, }, { db: "PACKETSTORM", id: "163485", trust: 0.1, }, { db: "PACKETSTORM", id: "163480", trust: 0.1, }, { db: "CNNVD", id: "CNNVD-202103-1685", trust: 0.1, }, { db: "VULHUB", id: "VHN-379190", trust: 0.1, }, { db: "VULMON", id: "CVE-2021-21295", trust: 0.1, }, { db: "PACKETSTORM", id: "162716", trust: 0.1, }, { db: "PACKETSTORM", id: "162719", trust: 0.1, }, { db: "PACKETSTORM", id: "164276", trust: 0.1, }, { db: "PACKETSTORM", id: "164275", trust: 0.1, }, { db: "PACKETSTORM", id: "169055", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-379190", }, { db: "VULMON", id: "CVE-2021-21295", }, { db: "JVNDB", id: "JVNDB-2021-004681", }, { db: "PACKETSTORM", id: "162716", }, { db: "PACKETSTORM", id: "162719", }, { db: "PACKETSTORM", id: "162839", }, { db: "PACKETSTORM", id: "165294", }, { db: "PACKETSTORM", id: "164276", }, { db: "PACKETSTORM", id: "164275", }, { db: "PACKETSTORM", id: "169055", }, { db: "CNNVD", id: "CNNVD-202103-713", }, { db: "NVD", id: "CVE-2021-21295", }, ], }, id: "VAR-202103-1564", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VULHUB", id: "VHN-379190", }, ], trust: 0.01, }, last_update_date: "2024-11-27T20:00:06.862000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "Top Page The Netty projectGitHub", trust: 0.8, url: "https://lists.apache.org/thread/qmvzmzm7lx43po0745qjymmmqzj1lmvp", }, { title: "Netty Remediation measures for environmental problem vulnerabilities", trust: 0.6, url: "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=144007", }, { title: "Debian CVElist Bug Report Logs: netty: CVE-2021-21295", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=3dae7308ddf952db0ad410f80e658793", }, { title: "Debian CVElist Bug Report Logs: netty: CVE-2021-21409", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=23e6ecb2c9e3ae264a6a904e00c922b4", }, { title: "Red Hat: CVE-2021-21295", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2021-21295", }, { title: "Debian Security Advisories: DSA-4885-1 netty -- security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=b857eb63eda3549d92d4cef6b191afe6", }, { title: "Red Hat: Moderate: Satellite 6.11 Release", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20225498 - Security Advisory", }, { title: "CVE-2021-21295", trust: 0.1, url: "https://github.com/PwnCast/CVE-2021-21295 ", }, { title: "CVE-2021-21295", trust: 0.1, url: "https://github.com/AlAIAL90/CVE-2021-21295 ", }, { title: "CVE-2021-21295", trust: 0.1, url: "https://github.com/AIPOCAI/CVE-2021-21295 ", }, { title: "CVE-2021-21409", trust: 0.1, url: "https://github.com/AlAIAL90/CVE-2021-21409 ", }, { title: "test.md", trust: 0.1, url: "https://github.com/AwesomeAlpha/test.md ", }, ], sources: [ { db: "VULMON", id: "CVE-2021-21295", }, { db: "JVNDB", id: "JVNDB-2021-004681", }, { db: "CNNVD", id: "CNNVD-202103-713", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-444", trust: 1.1, }, { problemtype: "HTTP Request Smuggling (CWE-444) [NVD Evaluation ]", trust: 0.8, }, ], sources: [ { db: "VULHUB", id: "VHN-379190", }, { db: "JVNDB", id: "JVNDB-2021-004681", }, { db: "NVD", id: "CVE-2021-21295", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 2.5, url: "https://github.com/netflix/zuul/pull/980", }, { trust: 2.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21295", }, { trust: 1.8, url: "https://security.netapp.com/advisory/ntap-20210604-0003/", }, { trust: 1.8, url: "https://www.debian.org/security/2021/dsa-4885", }, { trust: 1.8, url: "https://github.com/netty/netty/security/advisories/ghsa-wm47-8v5p-wjpj", }, { trust: 1.8, url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { trust: 1.7, url: "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4", }, { trust: 1, url: "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3cissues.kudu.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b%40%3cissues.hbase.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064%40%3cissues.hbase.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe%40%3cnotifications.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190%40%3cissues.hbase.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798%40%3cnotifications.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3ccommits.pulsar.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5%40%3cdev.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1%40%3cissues.hbase.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3cissues.bookkeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3ccommits.pulsar.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3cdev.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81%40%3cissues.hbase.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3cissues.kudu.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3cdev.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3cissues.kudu.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3ccommits.pulsar.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9%40%3cnotifications.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c%40%3cdev.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3%40%3cdev.jackrabbit.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3cdev.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a%40%3ccommits.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3cissues.kudu.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e%40%3cnotifications.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3cissues.kudu.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf%40%3cissues.hbase.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b%40%3ccommits.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1%40%3cnotifications.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3cdev.ranger.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece%40%3cissues.hbase.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8%40%3ccommits.hbase.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de%40%3cnotifications.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6%40%3cissues.hbase.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd%40%3cdev.hbase.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8%40%3cnotifications.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb%40%3cissues.hbase.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1%40%3ccommits.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3cdev.ranger.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675%40%3cnotifications.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3ccommits.pulsar.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468%40%3ccommits.servicecomb.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c%40%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.8, url: "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3cdev.flink.apache.org%3e", }, { trust: 0.8, url: "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3cissues.flink.apache.org%3e", }, { trust: 0.8, url: "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3cissues.flink.apache.org%3e", }, { trust: 0.8, url: "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3cissues.flink.apache.org%3e", }, { trust: 0.8, url: "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3cissues.flink.apache.org%3e", }, { trust: 0.8, url: "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3cissues.flink.apache.org%3e", }, { trust: 0.8, url: "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3cissues.flink.apache.org%3e", }, { trust: 0.8, url: "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3cissues.kudu.apache.org%3e", }, { trust: 0.8, url: "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3cissues.kudu.apache.org%3e", }, { trust: 0.8, url: "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3cissues.kudu.apache.org%3e", }, { trust: 0.8, url: "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3cissues.kudu.apache.org%3e", }, { trust: 0.8, url: "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3cissues.kudu.apache.org%3e", }, { trust: 0.8, url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3ccommits.pulsar.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3cdev.ranger.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3cdev.ranger.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3ccommits.pulsar.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3ccommits.pulsar.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3ccommits.pulsar.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3cissues.bookkeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3cjira.kafka.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3cdev.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3cdev.kafka.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3cjira.kafka.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc@%3cjira.kafka.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f@%3cjira.kafka.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a@%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1@%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b@%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c@%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c@%3cdev.kafka.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523@%3cjira.kafka.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f@%3cjira.kafka.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece@%3cissues.hbase.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb@%3cissues.hbase.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064@%3cissues.hbase.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8@%3ccommits.hbase.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b@%3cissues.hbase.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81@%3cissues.hbase.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf@%3cissues.hbase.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6@%3cissues.hbase.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1@%3cissues.hbase.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd@%3cdev.hbase.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969@%3cjira.kafka.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190@%3cissues.hbase.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3@%3cdev.jackrabbit.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf@%3ccommits.servicecomb.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5@%3cdev.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://access.redhat.com/security/cve/cve-2021-21295", }, { trust: 0.6, url: "https://listman.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.6, url: "https://bugzilla.redhat.com/):", }, { trust: 0.6, url: "https://access.redhat.com/security/team/contact/", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-netty-2/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.2416", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.3208", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.1821", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/163517/red-hat-security-advisory-2021-2755-01.html", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.1108", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.1571", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.3495", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/167709/red-hat-security-advisory-2022-5498-01.html", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2022.3282", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/165294/red-hat-security-advisory-2021-5134-05.html", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2021050706", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/6518930", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/163477/red-hat-security-advisory-2021-2689-01.html", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-have-been-identified-in-netty-shipped-with-ibm-tivoli-netcool-omnibus-transport-module-common-integration-library-cve-2021-21290-cve-2021-21295-cve-2021/", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/163922/red-hat-security-advisory-2021-3225-01.html", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2021100302", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/162035/red-hat-security-advisory-2021-0943-01.html", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-netty-vulnerability-affects-ibm-watson-machine-learning-on-cp4d-cve-2021-21295/", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/164279/red-hat-security-advisory-2021-3660-01.html", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-netty-affects-ibm-spectrum-scale-transparent-cloud-tiercve-2021-21295/", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2021081922", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/162732/red-hat-security-advisory-2021-2070-01.html", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.1755", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/162714/red-hat-security-advisory-2021-2051-01.html", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/164346/red-hat-security-advisory-2021-3700-01.html", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.2357", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.2896", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.4253", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2021071219", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.1144", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/164566/red-hat-security-advisory-2021-3880-01.html", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/162839/red-hat-security-advisory-2021-2139-01.html", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/162490/red-hat-security-advisory-2021-1511-01.html", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.3284", }, { trust: 0.6, url: "https://vigilance.fr/vulnerability/netty-information-disclosure-via-content-length-header-34897", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21290", }, { trust: 0.4, url: "https://issues.jboss.org/):", }, { trust: 0.4, url: "https://nvd.nist.gov/vuln/detail/cve-2020-13936", }, { trust: 0.4, url: "https://access.redhat.com/articles/11258", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2021-21290", }, { trust: 0.4, url: "https://access.redhat.com/security/team/key/", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2020-13936", }, { trust: 0.4, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21409", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2021-21409", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2021-3690", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2021-28170", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2021-3597", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2021-3536", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2021-29425", }, { trust: 0.2, url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/", }, { trust: 0.2, url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/", }, { trust: 0.2, url: "https://access.redhat.com/security/updates/classification/#moderate", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21350", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21341", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21347", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21349", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21341", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21342", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21345", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-26259", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21342", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21344", }, { trust: 0.2, url: "https://access.redhat.com/security/updates/classification/#critical", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21348", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21344", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21346", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21343", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21343", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-21351", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-26259", }, { trust: 0.2, url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-3644", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-3644", }, { trust: 0.2, url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-3536", }, { trust: 0.2, url: "https://access.redhat.com/security/updates/classification/#important", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-3597", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-29425", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-3690", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-3642", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-3642", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-28170", }, { trust: 0.1, url: "https://github.com/netty/netty/security/advisories/ghsa-f256-j965-7f32", }, { trust: 0.1, url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-21295", }, { trust: 0.1, url: "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432", }, { trust: 0.1, url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { trust: 0.1, url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { trust: 0.1, url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa@%3cjira.kafka.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8@%3ccommits.pulsar.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35@%3ccommits.pulsar.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed@%3ccommits.pulsar.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e@%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5@%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355@%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101@%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2@%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de@%3cdev.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575@%3cdev.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362@%3cdev.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.1, url: "https://cwe.mitre.org/data/definitions/444.html", }, { trust: 0.1, url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984948", }, { trust: 0.1, url: "https://github.com/pwncast/cve-2021-21295", }, { trust: 0.1, url: "https://nvd.nist.gov", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:2048", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:2046", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.2/html/upgrading_data_grid/", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product\\xdata.grid&version=8.2", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-26258", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21351", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-26258", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21348", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-31917", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-10771", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-31917", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-10771", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21349", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:2139", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21347", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21345", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21350", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21346", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-37714", }, { trust: 0.1, url: "https://access.redhat.com/security/vulnerabilities/rhsb-2021-009", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-35510", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-28169", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-17527", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-17521", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-3629", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-2875", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-28164", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-12415", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-11988", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-9488", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-28491", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-30129", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-2875", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-30468", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-12415", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-28163", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-10744", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-26217", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-17527", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-11987", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-20218", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-27782", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=jboss.fuse&version=7.10.0", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-37136", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-44228", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-34428", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-2934", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-17521", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-27223", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-22696", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-15522", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-11987", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-26217", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-15522", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-27218", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-27218", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-10744", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-37137", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-35510", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-2934", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-13943", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-13943", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-13949", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-9488", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-28491", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-23926", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-27223", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-27782", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:5134", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-27568", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-11988", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-13949", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-20218", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-22118", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:3658", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:3656", }, { trust: 0.1, url: "https://security-tracker.debian.org/tracker/netty", }, { trust: 0.1, url: "https://www.debian.org/security/faq", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-7238", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-11612", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-20444", }, { trust: 0.1, url: "https://www.debian.org/security/", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-20445", }, ], sources: [ { db: "VULHUB", id: "VHN-379190", }, { db: "VULMON", id: "CVE-2021-21295", }, { db: "JVNDB", id: "JVNDB-2021-004681", }, { db: "PACKETSTORM", id: "162716", }, { db: "PACKETSTORM", id: "162719", }, { db: "PACKETSTORM", id: "162839", }, { db: "PACKETSTORM", id: "165294", }, { db: "PACKETSTORM", id: "164276", }, { db: "PACKETSTORM", id: "164275", }, { db: "PACKETSTORM", id: "169055", }, { db: "CNNVD", id: "CNNVD-202103-713", }, { db: "NVD", id: "CVE-2021-21295", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "VULHUB", id: "VHN-379190", }, { db: "VULMON", id: "CVE-2021-21295", }, { db: "JVNDB", id: "JVNDB-2021-004681", }, { db: "PACKETSTORM", id: "162716", }, { db: "PACKETSTORM", id: "162719", }, { db: "PACKETSTORM", id: "162839", }, { db: "PACKETSTORM", id: "165294", }, { db: "PACKETSTORM", id: "164276", }, { db: "PACKETSTORM", id: "164275", }, { db: "PACKETSTORM", id: "169055", }, { db: "CNNVD", id: "CNNVD-202103-713", }, { db: "NVD", id: "CVE-2021-21295", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2021-03-30T00:00:00", db: "VULHUB", id: "VHN-379190", }, { date: "2021-03-09T00:00:00", db: "VULMON", id: "CVE-2021-21295", }, { date: "2021-11-26T00:00:00", db: "JVNDB", id: "JVNDB-2021-004681", }, { date: "2021-05-19T21:04:10", db: "PACKETSTORM", id: "162716", }, { date: "2021-05-19T21:04:29", db: "PACKETSTORM", id: "162719", }, { date: "2021-05-27T13:30:24", db: "PACKETSTORM", id: "162839", }, { date: "2021-12-15T15:25:47", db: "PACKETSTORM", id: "165294", }, { date: "2021-09-24T15:39:43", db: "PACKETSTORM", id: "164276", }, { date: "2021-09-24T15:39:14", db: "PACKETSTORM", id: "164275", }, { date: "2021-04-28T19:12:00", db: "PACKETSTORM", id: "169055", }, { date: "2021-03-09T00:00:00", db: "CNNVD", id: "CNNVD-202103-713", }, { date: "2021-03-09T19:15:12.657000", db: "NVD", id: "CVE-2021-21295", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2022-05-12T00:00:00", db: "VULHUB", id: "VHN-379190", }, { date: "2022-05-12T00:00:00", db: "VULMON", id: "CVE-2021-21295", }, { date: "2021-11-26T06:13:00", db: "JVNDB", id: "JVNDB-2021-004681", }, { date: "2022-07-07T00:00:00", db: "CNNVD", id: "CNNVD-202103-713", }, { date: "2024-11-21T05:47:57.530000", db: "NVD", id: "CVE-2021-21295", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-202103-713", }, ], trust: 0.6, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Netty In HTTP Request Smuggling Vulnerability", sources: [ { db: "JVNDB", id: "JVNDB-2021-004681", }, ], trust: 0.8, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "environmental issue", sources: [ { db: "CNNVD", id: "CNNVD-202103-713", }, ], trust: 0.6, }, }
var-202103-1554
Vulnerability from variot
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: Red Hat build of Eclipse Vert.x 4.1.0 security update Advisory ID: RHSA-2021:2465-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2021:2465 Issue date: 2021-07-07 CVE Names: CVE-2021-21409 CVE-2021-29425 =====================================================================
- Summary:
An update is now available for Red Hat build of Eclipse Vert.x.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE pages listed in the References section.
- Description:
This release of Red Hat build of Eclipse Vert.x 4.1.0 includes security updates, bug fixes, and enhancements. For more information, see the release notes listed in the References section.
Security Fix(es):
-
netty: Request smuggling via content-length header (CVE-2021-21409)
-
apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)
For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section.
- Solution:
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
The References section of this erratum contains a download link for the update. You must be logged in to download the update.
- Bugs fixed (https://bugzilla.redhat.com/):
1944888 - CVE-2021-21409 netty: Request smuggling via content-length header 1948752 - CVE-2021-29425 apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6
- References:
https://access.redhat.com/security/cve/CVE-2021-21409 https://access.redhat.com/security/cve/CVE-2021-29425 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.eclipse.vertx&version=4.1.0 https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.1/html/release_notes_for_eclipse_vert.x_4.1/index
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYOVJ+tzjgjWX9erEAQgVDg/+LCuqGGlGFUskj8QuogB1kumZg8RhAPi8 vhHApTlHA1YpmqL3/6yr8pCc4UaxUwYZ4Qa1Wgf/OvOBPwNg1LS90/+9gCFj18NM +I6VZhdx3YqNS/4sQm5JMXKzLmNMc+dtmaDYHJRqYMfWZCFakBkwlSCOlXWwFgvX eIB7jn1Bs/27JgqN+e2eI0a+YWlwgshipCqng7eGEl3nW0CnCereWJu0LyquHiWi maxZpr3AuoTGzcqsQukJHrB/H3LWd72RW8LcSzXNf+L8KaS87Sy5lRRWh9t8syTQ 49WJx9ucwMU4CQZHwRhklzF9oPEfVfXWANwAtVDOXIVqFp2XtsLyG5RTQjO6Dsku edV5OzRBRgYD7BODPOhAMU2yvpYgoPOzDXYd7GnzCK8JeShHMBgr1BMnFmVCUIOt ryWbK03V7CCuondt6Xt97SijkBofap8bRSReQ1rlEO8g4ZRvrF3iwpJ/r9t5py5e D6aGYLjrPCh6mC0p4jRVO42h6/CEu8tqSQqqjyl+MuV38TUiPIEgADRDuEO5fwvy 4Bowtql6FDyEmdNsdkVAkNw7QQgksZY3us0Re14lYLSR7OAHjxA2ZpOCF7RlLNaz r5UCqegrLFG1QIiv4ziKxJDZgjn3+Ugbbjf1iGna+oDkHEGrudeOmpGO6TF3Pp71 qzG3w0/SNQY= =kFZD -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Description:
Red Hat Data Grid is a distributed, in-memory data store. Solution:
Refer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to this version. Bugs fixed (https://bugzilla.redhat.com/):
1846293 - CVE-2020-10771 Infinispan: Actions with effects should not be permitted via GET requests using REST API 1908832 - CVE-2020-26258 XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling 1908837 - CVE-2020-26259 XStream: arbitrary file deletion on the local host when unmarshalling 1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory 1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation 1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream 1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream 1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream 1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet 1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry 1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue 1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator 1942633 - CVE-2021-21348 XStream: ReDoS vulnerability 1942635 - CVE-2021-21349 XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host 1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader 1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream 1944888 - CVE-2021-21409 netty: Request smuggling via content-length header 1955113 - CVE-2021-31917 Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism
- Solution:
For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update:
https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html
For Red Hat OpenShift Logging 5.1, see the following instructions to apply this update:
https://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html
- Bugs fixed (https://bugzilla.redhat.com/):
1944888 - CVE-2021-21409 netty: Request smuggling via content-length header 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value
- JIRA issues fixed (https://issues.jboss.org/):
LOG-1971 - Applying cluster state is causing elasticsearch to hit an issue and become unusable
- Bugs fixed (https://bugzilla.redhat.com/):
1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory 1930423 - CVE-2020-28491 jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception 1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information 1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation 1944888 - CVE-2021-21409 netty: Request smuggling via content-length header 1955739 - CVE-2021-26291 maven: Block repositories using http by default 1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer
- Description:
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. Description:
Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-202103-1554", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "communications cloud native core policy", scope: "eq", trust: 1, vendor: "oracle", version: "1.14.0", }, { model: "nosql database", scope: "lt", trust: 1, vendor: "oracle", version: "21.1.12", }, { model: "oncommand api services", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "communications brm - elastic charging engine", scope: "eq", trust: 1, vendor: "oracle", version: "12.0.0.3", }, { model: "communications messaging server", scope: "eq", trust: 1, vendor: "oracle", version: "8.1", }, { model: "primavera gateway", scope: "lte", trust: 1, vendor: "oracle", version: "17.12.11", }, { model: "primavera gateway", scope: "gte", trust: 1, vendor: "oracle", version: "18.8.0", }, { model: "banking credit facilities process management", scope: "eq", trust: 1, vendor: "oracle", version: "14.5.0", }, { model: "banking corporate lending process management", scope: "eq", trust: 1, vendor: "oracle", version: "14.3.0", }, { model: "coherence", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.4.0", }, { model: "communications cloud native core console", scope: "eq", trust: 1, vendor: "oracle", version: "1.7.0", }, { model: "primavera gateway", scope: "lte", trust: 1, vendor: "oracle", version: "19.12.10", }, { model: "primavera gateway", scope: "gte", trust: 1, vendor: "oracle", version: "17.12.0", }, { model: "quarkus", scope: "lte", trust: 1, vendor: "quarkus", version: "1.13.7", }, { model: "banking credit facilities process management", scope: "eq", trust: 1, vendor: "oracle", version: "14.2.0", }, { model: "helidon", scope: "eq", trust: 1, vendor: "oracle", version: "2.4.0", }, { model: "banking trade finance process management", scope: "eq", trust: 1, vendor: "oracle", version: "14.5.0", }, { model: "coherence", scope: "eq", trust: 1, vendor: "oracle", version: "14.1.1.0.0", }, { model: "primavera gateway", scope: "lte", trust: 1, vendor: "oracle", version: "18.8.11", }, { model: "banking trade finance process management", scope: "eq", trust: 1, vendor: "oracle", version: "14.2.0", }, { model: "oncommand workflow automation", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "jd edwards enterpriseone tools", scope: "lt", trust: 1, vendor: "oracle", version: "9.2.6.3", }, { model: "primavera gateway", scope: "gte", trust: 1, vendor: "oracle", version: "19.12.0", }, { model: "banking credit facilities process management", scope: "eq", trust: 1, vendor: "oracle", version: "14.3.0", }, { model: "helidon", scope: "eq", trust: 1, vendor: "oracle", version: "1.4.10", }, { model: "communications design studio", scope: "eq", trust: 1, vendor: "oracle", version: "7.4.2.0.0", }, { model: "banking corporate lending process management", scope: "eq", trust: 1, vendor: "oracle", version: "14.5.0", }, { model: "netty", scope: "lt", trust: 1, vendor: "netty", version: "4.1.61", }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "10.0", }, { model: "banking corporate lending process management", scope: "eq", trust: 1, vendor: "oracle", version: "14.2.0", }, { model: "banking trade finance process management", scope: "eq", trust: 1, vendor: "oracle", version: "14.3.0", }, ], sources: [ { db: "NVD", id: "CVE-2021-21409", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Red Hat", sources: [ { db: "PACKETSTORM", id: "163423", }, { db: "PACKETSTORM", id: "162839", }, { db: "PACKETSTORM", id: "165287", }, { db: "PACKETSTORM", id: "165286", }, { db: "PACKETSTORM", id: "164566", }, { db: "PACKETSTORM", id: "163922", }, { db: "PACKETSTORM", id: "163713", }, { db: "CNNVD", id: "CNNVD-202103-1685", }, ], trust: 1.3, }, cve: "CVE-2021-21409", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", exploitabilityScore: 8.6, id: "CVE-2021-21409", impactScore: 2.9, integrityImpact: "PARTIAL", severity: "MEDIUM", trust: 1, vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", author: "VULHUB", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", exploitabilityScore: 8.6, id: "VHN-379190", impactScore: 2.9, integrityImpact: "PARTIAL", severity: "MEDIUM", trust: 0.1, vectorString: "AV:N/AC:M/AU:N/C:N/I:P/A:N", version: "2.0", }, ], cvssV3: [ { attackComplexity: "HIGH", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", exploitabilityScore: 2.2, id: "CVE-2021-21409", impactScore: 3.6, integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 2, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2021-21409", trust: 1, value: "MEDIUM", }, { author: "security-advisories@github.com", id: "CVE-2021-21409", trust: 1, value: "MEDIUM", }, { author: "CNNVD", id: "CNNVD-202103-1685", trust: 0.6, value: "MEDIUM", }, { author: "VULHUB", id: "VHN-379190", trust: 0.1, value: "MEDIUM", }, ], }, ], sources: [ { db: "VULHUB", id: "VHN-379190", }, { db: "CNNVD", id: "CNNVD-202103-1685", }, { db: "NVD", id: "CVE-2021-21409", }, { db: "NVD", id: "CVE-2021-21409", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: Red Hat build of Eclipse Vert.x 4.1.0 security update\nAdvisory ID: RHSA-2021:2465-01\nProduct: Red Hat OpenShift Application Runtimes\nAdvisory URL: https://access.redhat.com/errata/RHSA-2021:2465\nIssue date: 2021-07-07\nCVE Names: CVE-2021-21409 CVE-2021-29425 \n=====================================================================\n\n1. Summary:\n\nAn update is now available for Red Hat build of Eclipse Vert.x. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability. For\nmore information, see the CVE pages listed in the References section. \n\n2. Description:\n\nThis release of Red Hat build of Eclipse Vert.x 4.1.0 includes security\nupdates, bug fixes, and enhancements. For more information, see the release\nnotes listed in the References section. \n\nSecurity Fix(es):\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\n* apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6\n(CVE-2021-29425)\n\nFor more details about the security issues and their impact, the CVSS\nscore, acknowledgements, and other related information, see the CVE pages\nlisted in the References section. \n\n3. Solution:\n\nBefore applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on. \n\nThe References section of this erratum contains a download link for the\nupdate. You must be logged in to download the update. \n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1944888 - CVE-2021-21409 netty: Request smuggling via content-length header\n1948752 - CVE-2021-29425 apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6\n\n5. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-21409\nhttps://access.redhat.com/security/cve/CVE-2021-29425\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.eclipse.vertx&version=4.1.0\nhttps://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.1/html/release_notes_for_eclipse_vert.x_4.1/index\n\n6. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2021 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYOVJ+tzjgjWX9erEAQgVDg/+LCuqGGlGFUskj8QuogB1kumZg8RhAPi8\nvhHApTlHA1YpmqL3/6yr8pCc4UaxUwYZ4Qa1Wgf/OvOBPwNg1LS90/+9gCFj18NM\n+I6VZhdx3YqNS/4sQm5JMXKzLmNMc+dtmaDYHJRqYMfWZCFakBkwlSCOlXWwFgvX\neIB7jn1Bs/27JgqN+e2eI0a+YWlwgshipCqng7eGEl3nW0CnCereWJu0LyquHiWi\nmaxZpr3AuoTGzcqsQukJHrB/H3LWd72RW8LcSzXNf+L8KaS87Sy5lRRWh9t8syTQ\n49WJx9ucwMU4CQZHwRhklzF9oPEfVfXWANwAtVDOXIVqFp2XtsLyG5RTQjO6Dsku\nedV5OzRBRgYD7BODPOhAMU2yvpYgoPOzDXYd7GnzCK8JeShHMBgr1BMnFmVCUIOt\nryWbK03V7CCuondt6Xt97SijkBofap8bRSReQ1rlEO8g4ZRvrF3iwpJ/r9t5py5e\nD6aGYLjrPCh6mC0p4jRVO42h6/CEu8tqSQqqjyl+MuV38TUiPIEgADRDuEO5fwvy\n4Bowtql6FDyEmdNsdkVAkNw7QQgksZY3us0Re14lYLSR7OAHjxA2ZpOCF7RlLNaz\nr5UCqegrLFG1QIiv4ziKxJDZgjn3+Ugbbjf1iGna+oDkHEGrudeOmpGO6TF3Pp71\nqzG3w0/SNQY=\n=kFZD\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. Description:\n\nRed Hat Data Grid is a distributed, in-memory data store. Solution:\n\nRefer to the Data Grid 8.2 Upgrade Guide for instructions on upgrading to\nthis version. Bugs fixed (https://bugzilla.redhat.com/):\n\n1846293 - CVE-2020-10771 Infinispan: Actions with effects should not be permitted via GET requests using REST API\n1908832 - CVE-2020-26258 XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling\n1908837 - CVE-2020-26259 XStream: arbitrary file deletion on the local host when unmarshalling\n1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory\n1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation\n1942539 - CVE-2021-21341 XStream: allow a remote attacker to cause DoS only by manipulating the processed input stream\n1942545 - CVE-2021-21342 XStream: SSRF via crafted input stream\n1942550 - CVE-2021-21343 XStream: arbitrary file deletion on the local host via crafted input stream\n1942554 - CVE-2021-21344 XStream: Unsafe deserizaliation of javax.sql.rowset.BaseRowSet\n1942558 - CVE-2021-21345 XStream: Unsafe deserizaliation of com.sun.corba.se.impl.activation.ServerTableEntry\n1942578 - CVE-2021-21346 XStream: Unsafe deserizaliation of sun.swing.SwingLazyValue\n1942629 - CVE-2021-21347 XStream: Unsafe deserizaliation of com.sun.tools.javac.processing.JavacProcessingEnvironment NameProcessIterator\n1942633 - CVE-2021-21348 XStream: ReDoS vulnerability\n1942635 - CVE-2021-21349 XStream: SSRF can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host\n1942637 - CVE-2021-21350 XStream: Unsafe deserizaliation of com.sun.org.apache.bcel.internal.util.ClassLoader\n1942642 - CVE-2021-21351 XStream: allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream\n1944888 - CVE-2021-21409 netty: Request smuggling via content-length header\n1955113 - CVE-2021-31917 Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism\n\n5. Solution:\n\nFor OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nFor Red Hat OpenShift Logging 5.1, see the following instructions to apply\nthis update:\n\nhttps://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1944888 - CVE-2021-21409 netty: Request smuggling via content-length header\n2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data\n2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way\n2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value\n\n5. JIRA issues fixed (https://issues.jboss.org/):\n\nLOG-1971 - Applying cluster state is causing elasticsearch to hit an issue and become unusable\n\n6. Bugs fixed (https://bugzilla.redhat.com/):\n\n1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory\n1930423 - CVE-2020-28491 jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception\n1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information\n1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation\n1944888 - CVE-2021-21409 netty: Request smuggling via content-length header\n1955739 - CVE-2021-26291 maven: Block repositories using http by default\n1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer\n\n5. Description:\n\nRed Hat AMQ Streams, based on the Apache Kafka project, offers a\ndistributed backbone that allows microservices and other applications to\nshare data with extremely high throughput and extremely low latency. Description:\n\nRed Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak\nproject, that provides authentication and standards-based single sign-on\ncapabilities for web and mobile applications", sources: [ { db: "NVD", id: "CVE-2021-21409", }, { db: "VULHUB", id: "VHN-379190", }, { db: "PACKETSTORM", id: "163423", }, { db: "PACKETSTORM", id: "162839", }, { db: "PACKETSTORM", id: "165287", }, { db: "PACKETSTORM", id: "165286", }, { db: "PACKETSTORM", id: "164566", }, { db: "PACKETSTORM", id: "163922", }, { db: "PACKETSTORM", id: "163713", }, ], trust: 1.62, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2021-21409", trust: 2.4, }, { db: "PACKETSTORM", id: "163423", trust: 0.8, }, { db: "PACKETSTORM", id: "162839", trust: 0.8, }, { db: "PACKETSTORM", id: "163489", trust: 0.7, }, { db: "PACKETSTORM", id: "167709", trust: 0.7, }, { db: "PACKETSTORM", id: "162490", trust: 0.7, }, { db: "PACKETSTORM", id: "163517", trust: 0.7, }, { db: "CNNVD", id: "CNNVD-202103-1685", trust: 0.7, }, { db: "PACKETSTORM", id: "164566", trust: 0.7, }, { db: "PACKETSTORM", id: "163922", trust: 0.7, }, { db: "PACKETSTORM", id: "163713", trust: 0.7, }, { db: "AUSCERT", id: "ESB-2022.0872", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.2572", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2022.0887", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.4253", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.3256", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2022.3282", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.2357", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.2363", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.2323", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.4229", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.1821", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.1144", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.2896", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.3495", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.3208", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.2416", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.1571", trust: 0.6, }, { db: "PACKETSTORM", id: "164279", trust: 0.6, }, { db: "PACKETSTORM", id: "164346", trust: 0.6, }, { db: "CS-HELP", id: "SB2021081922", trust: 0.6, }, { db: "CS-HELP", id: "SB2021071513", trust: 0.6, }, { db: "CS-HELP", id: "SB2021072145", trust: 0.6, }, { db: "CS-HELP", id: "SB2022042257", trust: 0.6, }, { db: "CS-HELP", id: "SB2021093016", trust: 0.6, }, { db: "CS-HELP", id: "SB2021050706", trust: 0.6, }, { db: "CS-HELP", id: "SB2022030322", trust: 0.6, }, { db: "CS-HELP", id: "SB2022012740", trust: 0.6, }, { db: "CS-HELP", id: "SB2021061815", trust: 0.6, }, { db: "CS-HELP", id: "SB2022012306", trust: 0.6, }, { db: "CS-HELP", id: "SB2021071219", trust: 0.6, }, { db: "PACKETSTORM", id: "163483", trust: 0.1, }, { db: "PACKETSTORM", id: "163477", trust: 0.1, }, { db: "PACKETSTORM", id: "163485", trust: 0.1, }, { db: "PACKETSTORM", id: "163480", trust: 0.1, }, { db: "VULHUB", id: "VHN-379190", trust: 0.1, }, { db: "PACKETSTORM", id: "165287", trust: 0.1, }, { db: "PACKETSTORM", id: "165286", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-379190", }, { db: "PACKETSTORM", id: "163423", }, { db: "PACKETSTORM", id: "162839", }, { db: "PACKETSTORM", id: "165287", }, { db: "PACKETSTORM", id: "165286", }, { db: "PACKETSTORM", id: "164566", }, { db: "PACKETSTORM", id: "163922", }, { db: "PACKETSTORM", id: "163713", }, { db: "CNNVD", id: "CNNVD-202103-1685", }, { db: "NVD", id: "CVE-2021-21409", }, ], }, id: "VAR-202103-1554", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VULHUB", id: "VHN-379190", }, ], trust: 0.01, }, last_update_date: "2024-11-22T21:05:17.036000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "Netty Remediation measures for environmental problem vulnerabilities", trust: 0.6, url: "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=146083", }, ], sources: [ { db: "CNNVD", id: "CNNVD-202103-1685", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-444", trust: 1.1, }, ], sources: [ { db: "VULHUB", id: "VHN-379190", }, { db: "NVD", id: "CVE-2021-21409", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 2.3, url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { trust: 2.3, url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { trust: 1.7, url: "https://github.com/netty/netty/security/advisories/ghsa-f256-j965-7f32", }, { trust: 1.7, url: "https://security.netapp.com/advisory/ntap-20210604-0003/", }, { trust: 1.7, url: "https://www.debian.org/security/2021/dsa-4885", }, { trust: 1.7, url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-21295", }, { trust: 1.7, url: "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432", }, { trust: 1.7, url: "https://github.com/netty/netty/security/advisories/ghsa-wm47-8v5p-wjpj", }, { trust: 1.7, url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { trust: 1.7, url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { trust: 1.3, url: "https://access.redhat.com/security/cve/cve-2021-21409", }, { trust: 1.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21409", }, { trust: 1, url: "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9%40%3cnotifications.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5%40%3ccommits.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3cissues.kudu.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3ccommits.pulsar.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795%40%3cnotifications.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8%40%3ccommits.pulsar.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355%40%3ccommits.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de%40%3cdev.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed%40%3ccommits.pulsar.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2%40%3ccommits.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3cdev.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3cissues.kudu.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa%40%3cjira.kafka.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3cissues.kudu.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362%40%3cdev.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3cissues.kudu.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101%40%3ccommits.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e%40%3ccommits.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8%40%3cnotifications.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39%40%3cnotifications.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3cissues.flink.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575%40%3cdev.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183%40%3cnotifications.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4%40%3cnotifications.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35%40%3ccommits.pulsar.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d%40%3cissues.zookeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3cissues.kudu.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3cdev.flink.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3cissues.flink.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3cissues.flink.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3cissues.flink.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3cissues.flink.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3cissues.flink.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3cissues.flink.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa@%3cjira.kafka.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3cissues.kudu.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3cissues.kudu.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3cissues.kudu.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3cissues.kudu.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3cissues.kudu.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8@%3ccommits.pulsar.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35@%3ccommits.pulsar.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed@%3ccommits.pulsar.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3ccommits.pulsar.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e@%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5@%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355@%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101@%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2@%3ccommits.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de@%3cdev.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575@%3cdev.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362@%3cdev.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae@%3cissues.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4@%3cnotifications.zookeeper.apache.org%3e", }, { trust: 0.7, url: "https://listman.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.7, url: "https://bugzilla.redhat.com/):", }, { trust: 0.7, url: "https://access.redhat.com/security/team/contact/", }, { trust: 0.6, url: "https://access.redhat.com/security/updates/classification/#moderate", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-netty-2/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.2416", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/163517/red-hat-security-advisory-2021-2755-01.html", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2021072145", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.1571", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2022.3282", }, { trust: 0.6, url: "https://vigilance.fr/vulnerability/netty-information-disclosure-via-http2headerframe-request-smuggling-35007", }, { trust: 0.6, url: "https://www.oracle.com/security-alerts/cpujul2021.html", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022030322", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2021050706", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-netty-affects-ibm-spectrum-scale-transparent-cloud-tier-cve-2021-21409/", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/6518930", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-have-been-identified-in-netty-shipped-with-ibm-tivoli-netcool-omnibus-transport-module-common-integration-library-cve-2021-21290-cve-2021-21295-cve-2021/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2022.0872", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022042257", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/164346/red-hat-security-advisory-2021-3700-01.html", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/163713/red-hat-security-advisory-2021-2965-01.html", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2021093016", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-netty-vulnerability-affects-ibm-watson-machine-learning-on-cp4d-cve-2021-21409/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.2357", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.4253", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022012306", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.1144", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2021071513", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/164566/red-hat-security-advisory-2021-3880-01.html", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2022012740", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/163489/red-hat-security-advisory-2021-2694-01.html", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.3208", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.1821", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.2363", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.3495", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/167709/red-hat-security-advisory-2022-5498-01.html", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.2323", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.3256", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/163922/red-hat-security-advisory-2021-3225-01.html", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/164279/red-hat-security-advisory-2021-3660-01.html", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/163423/red-hat-security-advisory-2021-2465-01.html", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2021081922", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2021061815", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.4229", }, { trust: 0.6, url: "https://www.ibm.com/support/pages/node/6528214", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.2572", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.2896", }, { trust: 0.6, url: "https://www.cybersecurity-help.cz/vdb/sb2021071219", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/162839/red-hat-security-advisory-2021-2139-01.html", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/162490/red-hat-security-advisory-2021-1511-01.html", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2022.0887", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2021-21290", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21290", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2021-21295", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21295", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2021-29425", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-29425", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-16135", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-3200", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2018-25013", }, { trust: 0.2, url: "https://access.redhat.com/security/vulnerabilities/rhsb-2021-009", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2018-25012", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-35522", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-5827", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-35524", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2018-25013", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2018-25009", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-27645", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-33574", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-13435", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-5827", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-24370", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-43527", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-14145", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-13751", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2018-25014", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-19603", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-14145", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2018-25012", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-35521", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-35942", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-17594", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-35524", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-24370", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-3572", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-12762", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-36086", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-35522", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-13750", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-13751", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-22898", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-12762", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-16135", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-36084", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-37136", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-44228", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-17594", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-17541", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-3800", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-36087", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-36331", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-3712", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-31535", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-35523", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-3445", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-13435", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-19603", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-22925", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-36330", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-18218", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-20232", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-20266", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-20838", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-22876", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-20231", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-36332", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-14155", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2018-25010", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-20838", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-17541", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2018-25014", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-36085", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-37137", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-33560", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-17595", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-3481", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-42574", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-14155", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2018-25009", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2018-25010", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-35523", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-28153", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-13750", }, { trust: 0.2, url: "https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-3426", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-18218", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2021-3580", }, { trust: 0.2, url: "https://issues.jboss.org/):", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-17595", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-36330", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-35521", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=catrhoar.eclipse.vertx&version=4.1.0", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:2465", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.1/html/release_notes_for_eclipse_vert.x_4.1/index", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-21350", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.2/html/upgrading_data_grid/", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product\\xdata.grid&version=8.2", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-21341", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-26258", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-21347", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-21349", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21341", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21342", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21351", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-21345", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-26259", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-21342", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-21344", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-26258", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21348", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-31917", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-10771", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-31917", }, { trust: 0.1, url: "https://access.redhat.com/security/updates/classification/#critical", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-10771", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-21348", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21344", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21349", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:2139", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-21346", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21347", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21345", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-21343", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21343", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21350", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-21346", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-21351", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-26259", }, { trust: 0.1, url: "https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-20317", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-43267", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-36331", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:5127", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-20673", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-3778", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-23841", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:5128", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-20673", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-23840", }, { trust: 0.1, url: "https://docs.openshift.com/container-platform/4.8/logging/cluster-logging-upgrading.html", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-3796", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.2/", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-20289", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-26291", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-26291", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=redhat.quarkus&downloadtype=distributions&version=2.2.3", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-28491", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:3880", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-3642", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-3642", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-28491", }, { trust: 0.1, url: "https://access.redhat.com/articles/4966181", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-20289", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-27568", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-28168", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-34428", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2017-18640", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-28164", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:3225", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-28163", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-28165", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-28169", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2017-18640", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-28164", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-34428", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-27568", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-28168", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-28169", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=jboss.amq.streams&version=1.8.0", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-28163", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-28165", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-3536", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.4/", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=core.service.rhsso&downloadtype=securitypatches&version=7.4", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:2965", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-3536", }, ], sources: [ { db: "VULHUB", id: "VHN-379190", }, { db: "PACKETSTORM", id: "163423", }, { db: "PACKETSTORM", id: "162839", }, { db: "PACKETSTORM", id: "165287", }, { db: "PACKETSTORM", id: "165286", }, { db: "PACKETSTORM", id: "164566", }, { db: "PACKETSTORM", id: "163922", }, { db: "PACKETSTORM", id: "163713", }, { db: "CNNVD", id: "CNNVD-202103-1685", }, { db: "NVD", id: "CVE-2021-21409", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "VULHUB", id: "VHN-379190", }, { db: "PACKETSTORM", id: "163423", }, { db: "PACKETSTORM", id: "162839", }, { db: "PACKETSTORM", id: "165287", }, { db: "PACKETSTORM", id: "165286", }, { db: "PACKETSTORM", id: "164566", }, { db: "PACKETSTORM", id: "163922", }, { db: "PACKETSTORM", id: "163713", }, { db: "CNNVD", id: "CNNVD-202103-1685", }, { db: "NVD", id: "CVE-2021-21409", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2021-03-30T00:00:00", db: "VULHUB", id: "VHN-379190", }, { date: "2021-07-07T16:04:35", db: "PACKETSTORM", id: "163423", }, { date: "2021-05-27T13:30:24", db: "PACKETSTORM", id: "162839", }, { date: "2021-12-15T15:20:43", db: "PACKETSTORM", id: "165287", }, { date: "2021-12-15T15:20:33", db: "PACKETSTORM", id: "165286", }, { date: "2021-10-20T15:48:42", db: "PACKETSTORM", id: "164566", }, { date: "2021-08-31T15:08:05", db: "PACKETSTORM", id: "163922", }, { date: "2021-07-30T14:23:26", db: "PACKETSTORM", id: "163713", }, { date: "2021-03-30T00:00:00", db: "CNNVD", id: "CNNVD-202103-1685", }, { date: "2021-03-30T15:15:14.573000", db: "NVD", id: "CVE-2021-21409", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2022-05-12T00:00:00", db: "VULHUB", id: "VHN-379190", }, { date: "2022-07-07T00:00:00", db: "CNNVD", id: "CNNVD-202103-1685", }, { date: "2023-11-07T03:30:00.920000", db: "NVD", id: "CVE-2021-21409", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-202103-1685", }, ], trust: 0.6, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Netty Environmental problem loophole", sources: [ { db: "CNNVD", id: "CNNVD-202103-1685", }, ], trust: 0.6, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "environmental issue", sources: [ { db: "CNNVD", id: "CNNVD-202103-1685", }, ], trust: 0.6, }, }
var-202110-1705
Vulnerability from variot
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.4.5 security update on RHEL 7 Advisory ID: RHSA-2022:4918-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2022:4918 Issue date: 2022-06-06 CVE Names: CVE-2020-36518 CVE-2021-37136 CVE-2021-37137 CVE-2021-42392 CVE-2021-43797 CVE-2022-0084 CVE-2022-0853 CVE-2022-0866 CVE-2022-1319 CVE-2022-21299 CVE-2022-21363 CVE-2022-23221 CVE-2022-23437 CVE-2022-23913 CVE-2022-24785 ==================================================================== 1. Summary:
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat JBoss EAP 7.4 for RHEL 7 Server - noarch, x86_64
- Description:
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.4.5 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.4 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.5 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
-
h2: Loading of custom classes from remote servers through JNDI (CVE-2022-23221)
-
jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
-
netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
-
netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
-
h2: Remote Code Execution in Console (CVE-2021-42392)
-
netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)
-
xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)
-
wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866)
-
undertow: Double AJP response for 400 from EAP 7 results in CPING failures (CVE-2022-1319)
-
OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) (CVE-2022-21299)
-
mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors (CVE-2022-21363)
-
xerces-j2: infinite loop when handling specially crafted XML document payloads (CVE-2022-23437)
-
artemis-commons: Apache ActiveMQ Artemis DoS (CVE-2022-23913)
-
Moment.js: Path traversal in moment.locale (CVE-2022-24785)
-
jboss-client: memory leakage in remote client transaction (CVE-2022-0853)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 2039403 - CVE-2021-42392 h2: Remote Code Execution in Console 2041472 - CVE-2022-21299 OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) 2044596 - CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI 2047200 - CVE-2022-23437 xerces-j2: infinite loop when handling specially crafted XML document payloads 2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors 2060725 - CVE-2022-0853 jboss-client: memory leakage in remote client transaction 2060929 - CVE-2022-0866 wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled 2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS 2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale 2073890 - CVE-2022-1319 undertow: Double AJP response for 400 from EAP 7 results in CPING failures
- JIRA issues fixed (https://issues.jboss.org/):
JBEAP-23120 - Tracker bug for the EAP 7.4.5 release for RHEL-7 JBEAP-23171 - (7.4.z) Upgrade HAL from 3.3.9.Final-redhat-00001 to 3.3.12.Final-redhat-00001 JBEAP-23194 - Upgrade hibernate-validator from 6.0.22.Final-redhat-00002 to 6.0.23-redhat-00001 JBEAP-23241 - GSS Upgrade jberet from 1.3.9 to 1.3.9.SP1 JBEAP-23299 - (7.4.z) Upgrade Artemis from 2.16.0.redhat-00034 to 2.16.0.redhat-00042 JBEAP-23300 - GSS Upgrade JBoss Remoting from 5.0.23.SP1 to 5.0.24.SP1 JBEAP-23312 - (7.4.z) Upgrade WildFly Core from 15.0.8.Final-redhat-00001 to 15.0.12.Final-redhat-00001 JBEAP-23313 - (7.4.z) Upgrade Elytron from 1.15.11.Final-redhat-00002 to 1.15.12.Final-redhat-00001 JBEAP-23336 - (7.4.z) Upgrade Hibernate ORM from 5.3.25.Final-redhat-00002 to 5.3.26.Final-redhat-00002 JBEAP-23338 - GSS Upgrade Undertow from 2.2.16 to 2.2.17.SP3 JBEAP-23339 - GSS Upgrade wildfly-http-ejb-client from 1.1.10 to 1.1.11.SP1 JBEAP-23351 - (7.4.z) Upgrade org.apache.logging.log4j from 2.17.1.redhat-00001 to 2.17.1.redhat-00002 JBEAP-23353 - (7.4.z) Upgrade wildfly-transaction-client from 1.1.14.Final-redhat-00001 to 1.1.15.Final-redhat-x JBEAP-23429 - PM JDK17 Update Tested Configurations page and make note in Update release notes JBEAP-23432 - GSS Upgrade JSF API from 3.0.0.SP04 to 3.0.0.SP05 JBEAP-23451 - [PST] (7.4.z) Upgrade to FasterXML Jackson to 2.12.6.redhat-00001 and Jackson Databind to 2.12.6.1.redhat-00003 JBEAP-23531 - GSS Upgrade Undertow from 2.2.17.SP3 to 2.2.17.SP4 JBEAP-23532 - (7.4.z) Upgrade WildFly Core from 15.0.12.Final-redhat-00001 to 15.0.13.Final-redhat-00001
- Package List:
Red Hat JBoss EAP 7.4 for RHEL 7 Server:
Source: eap7-activemq-artemis-2.16.0-9.redhat_00042.1.el7eap.src.rpm eap7-h2database-1.4.197-2.redhat_00004.1.el7eap.src.rpm eap7-hal-console-3.3.12-1.Final_redhat_00001.1.el7eap.src.rpm eap7-hibernate-5.3.26-1.Final_redhat_00002.2.el7eap.src.rpm eap7-hibernate-validator-6.0.23-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jackson-annotations-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jackson-core-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jackson-databind-2.12.6.1-1.redhat_00003.1.el7eap.src.rpm eap7-jackson-jaxrs-providers-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jackson-modules-base-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jackson-modules-java8-2.12.6-1.redhat_00001.1.el7eap.src.rpm eap7-jberet-1.3.9-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP05_redhat_00002.1.el7eap.src.rpm eap7-jboss-remoting-5.0.24-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-jboss-server-migration-1.10.0-16.Final_redhat_00015.1.el7eap.src.rpm eap7-jboss-xnio-base-3.8.7-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-log4j-2.17.1-2.redhat_00002.1.el7eap.src.rpm eap7-netty-4.1.72-4.Final_redhat_00001.1.el7eap.src.rpm eap7-netty-tcnative-2.0.48-1.Final_redhat_00001.1.el7eap.src.rpm eap7-netty-transport-native-epoll-4.1.72-1.Final_redhat_00001.1.el7eap.src.rpm eap7-snakeyaml-1.29.0-1.redhat_00001.2.el7eap.src.rpm eap7-undertow-2.2.17-2.SP4_redhat_00001.1.el7eap.src.rpm eap7-wildfly-7.4.5-3.GA_redhat_00001.1.el7eap.src.rpm eap7-wildfly-elytron-1.15.12-1.Final_redhat_00001.1.el7eap.src.rpm eap7-wildfly-http-client-1.1.11-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-wildfly-transaction-client-1.1.15-1.Final_redhat_00001.1.el7eap.src.rpm eap7-xerces-j2-2.12.0-3.SP04_redhat_00001.1.el7eap.src.rpm
noarch: eap7-activemq-artemis-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-cli-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-commons-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-core-client-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-dto-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-hornetq-protocol-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-hqclient-protocol-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-jdbc-store-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-jms-client-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-jms-server-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-journal-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-ra-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-selector-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-server-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-service-extensions-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-activemq-artemis-tools-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm eap7-h2database-1.4.197-2.redhat_00004.1.el7eap.noarch.rpm eap7-hal-console-3.3.12-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-core-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-entitymanager-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-envers-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-java8-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm eap7-hibernate-validator-6.0.23-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-validator-cdi-6.0.23-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jackson-annotations-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-core-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-databind-2.12.6.1-1.redhat_00003.1.el7eap.noarch.rpm eap7-jackson-datatype-jdk8-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-datatype-jsr310-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-jaxrs-base-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-jaxrs-json-provider-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-module-jaxb-annotations-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-modules-base-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-modules-java8-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm eap7-jberet-1.3.9-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-jberet-core-1.3.9-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP05_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-remoting-5.0.24-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-server-migration-1.10.0-16.Final_redhat_00015.1.el7eap.noarch.rpm eap7-jboss-server-migration-cli-1.10.0-16.Final_redhat_00015.1.el7eap.noarch.rpm eap7-jboss-server-migration-core-1.10.0-16.Final_redhat_00015.1.el7eap.noarch.rpm eap7-jboss-xnio-base-3.8.7-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-log4j-2.17.1-2.redhat_00002.1.el7eap.noarch.rpm eap7-netty-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-all-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-buffer-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-dns-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-haproxy-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-http-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-http2-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-memcache-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-mqtt-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-redis-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-smtp-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-socks-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-stomp-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-codec-xml-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-common-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-handler-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-handler-proxy-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-dns-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-resolver-dns-classes-macos-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-tcnative-2.0.48-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-classes-epoll-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-classes-kqueue-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-native-unix-common-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-rxtx-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-sctp-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-netty-transport-udt-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm eap7-snakeyaml-1.29.0-1.redhat_00001.2.el7eap.noarch.rpm eap7-undertow-2.2.17-2.SP4_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-elytron-1.15.12-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-elytron-tool-1.15.12-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-client-common-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-ejb-client-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-naming-client-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-transaction-client-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-java-jdk11-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-java-jdk8-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-javadocs-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-modules-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-transaction-client-1.1.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-xerces-j2-2.12.0-3.SP04_redhat_00001.1.el7eap.noarch.rpm
x86_64: eap7-netty-transport-native-epoll-4.1.72-1.Final_redhat_00001.1.el7eap.x86_64.rpm eap7-netty-transport-native-epoll-debuginfo-4.1.72-1.Final_redhat_00001.1.el7eap.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2021-37136 https://access.redhat.com/security/cve/CVE-2021-37137 https://access.redhat.com/security/cve/CVE-2021-42392 https://access.redhat.com/security/cve/CVE-2021-43797 https://access.redhat.com/security/cve/CVE-2022-0084 https://access.redhat.com/security/cve/CVE-2022-0853 https://access.redhat.com/security/cve/CVE-2022-0866 https://access.redhat.com/security/cve/CVE-2022-1319 https://access.redhat.com/security/cve/CVE-2022-21299 https://access.redhat.com/security/cve/CVE-2022-21363 https://access.redhat.com/security/cve/CVE-2022-23221 https://access.redhat.com/security/cve/CVE-2022-23437 https://access.redhat.com/security/cve/CVE-2022-23913 https://access.redhat.com/security/cve/CVE-2022-24785 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYp5qBdzjgjWX9erEAQgudg/+KIuaXQZawyOnSNF4IIR8WYnfcW8Ojsfk 27VFNY6WCSn07IkzyDFuCLHsmUEesiJvpYssOx4CuX1YEmlF7S/KepyI6QDVC+BV hFAfaVE1gdrny1sqaS8k4VFE9rHODML1q2yyeUNgdtL4YGdOeduqOEn6Q6GS/rvh +8vCZFkFb9QKxxItc1xvxvU8kAomQun+eqr040IHuF0jAZfLI18/5vzsPqeQG+Ua qU4CG5FucVytEkJCnQ8Ci3QH3FCm/BPqotyhO3OAi1b5+db+fT+UqJpiuHYCsPcQ 8DRKizi/ia6Rq5b/OTFodA8lo6U3nDIljJ7QcuADgGzX4fak+BxQNkQMfhS4/b01 /yFU034PmQBTJpm0r5Vb4V4lBWzAi5QMDttI4wncuM3VGbxSoEEXzdzFHVzgoy1r qDGfJ1C5VnSJeLawDa6tGyndBiVga/PPgx0CoSIPsAYnjXYfJM1DsohUXppTL1k+ z8W2UIoIGqycYdCm60uJ+qbzqLlODNXmXn154OJL3O/o6Nz7O+uqVt+WfaNnwO/Y wf85wHGjzLaOALZfly/fENQr5Aijb9WqavN3tbcipj6+F4D3OLJMOSap8+TOXF3C StEX/XQpQASMmemvHJr/8c9Fx6tumJ+hLI4EyXfNdlYFJFQY4l4J0X6+mH047B3G R+RN8v8nzXQ{m6 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . JIRA issues fixed (https://issues.jboss.org/):
LOG-1897 - Applying cluster state is causing elasticsearch to hit an issue and become unusable LOG-1925 - [release-5.3] No datapoint for CPU on openshift-logging dashboard LOG-1962 - [release-5.3] CLO panic: runtime error: slice bounds out of range [:-1]
- The purpose of this text-only errata is to inform you about the security issues fixed. Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/):
2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data 2129809 - CVE-2022-36944 scala: deserialization gadget chain 2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution 2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files 2215229 - CVE-2023-2976 guava: insecure temporary directory creation 2215393 - CVE-2023-34453 snappy-java: Integer overflow in shuffle leads to DoS 2215394 - CVE-2023-34454 snappy-java: Integer overflow in compress leads to DoS 2215445 - CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS 2215465 - CVE-2023-33201 bouncycastle: potential blind LDAP injection attack using a self-signed certificate 2216888 - CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM 2229295 - CVE-2023-3635 okio: GzipSource class improper exception handling 2236340 - CVE-2023-26048 jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() 2236341 - CVE-2023-26049 jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies
- JIRA issues fixed (https://issues.redhat.com/):
ENTMQST-5081 - [PROD] Create RHSA erratum for Streams 2.5.0
- JIRA issues fixed (https://issues.jboss.org/):
LOG-2437 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.4] LOG-2442 - Log file metric exporter not working with /var/log/pods LOG-2448 - Audit and journald logs cannot be viewed from LokiStack, when logs are forwarded with Vector as collector. Description:
AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. For further information, refer to the release notes linked to in the References section.
Security Fix(es):
-
netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
-
netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
The References section of this erratum contains a download link (you must log in to download the update). Bugs fixed (https://bugzilla.redhat.com/):
2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way
- Description:
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-202110-1705", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "banking digital experience", scope: "eq", trust: 1, vendor: "oracle", version: "18.2", }, { model: "banking digital experience", scope: "eq", trust: 1, vendor: "oracle", version: "20.1", }, { model: "banking apis", scope: "eq", trust: 1, vendor: "oracle", version: "20.1", }, { model: "communications diameter signaling router", scope: "lte", trust: 1, vendor: "oracle", version: "8.5.0.2", }, { model: "netty", scope: "lt", trust: 1, vendor: "netty", version: "4.1.68", }, { model: "communications diameter signaling router", scope: "gte", trust: 1, vendor: "oracle", version: "8.0.0.0", }, { model: "peoplesoft enterprise peopletools", scope: "eq", trust: 1, vendor: "oracle", version: "8.57", }, { model: "communications brm - elastic charging engine", scope: "lt", trust: 1, vendor: "oracle", version: "12.0.0.4.6", }, { model: "webcenter portal", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.4.0", }, { model: "commerce guided search", scope: "eq", trust: 1, vendor: "oracle", version: "11.3.2", }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "11.0", }, { model: "banking apis", scope: "lte", trust: 1, vendor: "oracle", version: "18.3", }, { model: "communications cloud native core binding support function", scope: "eq", trust: 1, vendor: "oracle", version: "1.10.0", }, { model: "peoplesoft enterprise peopletools", scope: "eq", trust: 1, vendor: "oracle", version: "8.58", }, { model: "banking digital experience", scope: "eq", trust: 1, vendor: "oracle", version: "18.3", }, { model: "quarkus", scope: "lt", trust: 1, vendor: "quarkus", version: "2.2.4", }, { model: "peoplesoft enterprise peopletools", scope: "eq", trust: 1, vendor: "oracle", version: "8.59", }, { model: "banking apis", scope: "eq", trust: 1, vendor: "oracle", version: "19.1", }, { model: "banking apis", scope: "gte", trust: 1, vendor: "oracle", version: "18.1", }, { model: "banking digital experience", scope: "eq", trust: 1, vendor: "oracle", version: "19.1", }, { model: "communications brm - elastic charging engine", scope: "eq", trust: 1, vendor: "oracle", version: "12.0.0.5.0", }, { model: "oncommand insight", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "webcenter portal", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.3.0", }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "10.0", }, { model: "banking digital experience", scope: "eq", trust: 1, vendor: "oracle", version: "19.2", }, { model: "banking apis", scope: "eq", trust: 1, vendor: "oracle", version: "19.2", }, { model: "banking apis", scope: "eq", trust: 1, vendor: "oracle", version: "21.1", }, { model: "banking digital experience", scope: "eq", trust: 1, vendor: "oracle", version: "18.1", }, { model: "banking digital experience", scope: "eq", trust: 1, vendor: "oracle", version: "21.1", }, ], sources: [ { db: "NVD", id: "CVE-2021-37137", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Red Hat", sources: [ { db: "PACKETSTORM", id: "167424", }, { db: "PACKETSTORM", id: "167423", }, { db: "PACKETSTORM", id: "165288", }, { db: "PACKETSTORM", id: "166408", }, { db: "PACKETSTORM", id: "174675", }, { db: "PACKETSTORM", id: "167142", }, { db: "PACKETSTORM", id: "167422", }, { db: "PACKETSTORM", id: "165105", }, { db: "PACKETSTORM", id: "165564", }, ], trust: 0.9, }, cve: "CVE-2021-37137", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "CVE-2021-37137", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 1, vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "VULHUB", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", exploitabilityScore: 10, id: "VHN-398973", impactScore: 2.9, integrityImpact: "NONE", severity: "MEDIUM", trust: 0.1, vectorString: "AV:N/AC:L/AU:N/C:N/I:N/A:P", version: "2.0", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", exploitabilityScore: 3.9, id: "CVE-2021-37137", impactScore: 3.6, integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2021-37137", trust: 1, value: "HIGH", }, { author: "VULHUB", id: "VHN-398973", trust: 0.1, value: "MEDIUM", }, ], }, ], sources: [ { db: "VULHUB", id: "VHN-398973", }, { db: "NVD", id: "CVE-2021-37137", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.4.5 security update on RHEL 7\nAdvisory ID: RHSA-2022:4918-01\nProduct: Red Hat JBoss Enterprise Application Platform\nAdvisory URL: https://access.redhat.com/errata/RHSA-2022:4918\nIssue date: 2022-06-06\nCVE Names: CVE-2020-36518 CVE-2021-37136 CVE-2021-37137\n CVE-2021-42392 CVE-2021-43797 CVE-2022-0084\n CVE-2022-0853 CVE-2022-0866 CVE-2022-1319\n CVE-2022-21299 CVE-2022-21363 CVE-2022-23221\n CVE-2022-23437 CVE-2022-23913 CVE-2022-24785\n====================================================================\n1. Summary:\n\nA security update is now available for Red Hat JBoss Enterprise Application\nPlatform 7.4 for Red Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat JBoss EAP 7.4 for RHEL 7 Server - noarch, x86_64\n\n3. Description:\n\nRed Hat JBoss Enterprise Application Platform 7 is a platform for Java\napplications based on the WildFly application runtime. \n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.5 serves\nas a replacement for Red Hat JBoss Enterprise Application Platform 7.4.4\nand includes bug fixes and enhancements. See the Red Hat JBoss Enterprise\nApplication Platform 7.4.5 Release Notes for information about the most\nsignificant bug fixes and enhancements included in this release. \n\nSecurity Fix(es):\n\n* h2: Loading of custom classes from remote servers through JNDI\n(CVE-2022-23221)\n\n* jackson-databind: denial of service via a large depth of nested objects\n(CVE-2020-36518)\n\n* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for\ndecompressed data (CVE-2021-37136)\n\n* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may\nbuffer skippable chunks in an unnecessary way (CVE-2021-37137)\n\n* h2: Remote Code Execution in Console (CVE-2021-42392)\n\n* netty: control chars in header names may lead to HTTP request smuggling\n(CVE-2021-43797)\n\n* xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of\nstderr (CVE-2022-0084)\n\n* wildfly: Wildfly management of EJB Session context returns wrong caller\nprincipal with Elytron Security enabled (CVE-2022-0866)\n\n* undertow: Double AJP response for 400 from EAP 7 results in CPING\nfailures (CVE-2022-1319)\n\n* OpenJDK: Infinite loop related to incorrect handling of newlines in\nXMLEntityScanner (JAXP, 8270646) (CVE-2022-21299)\n\n* mysql-connector-java: Difficult to exploit vulnerability allows high\nprivileged attacker with network access via multiple protocols to\ncompromise MySQL Connectors (CVE-2022-21363)\n\n* xerces-j2: infinite loop when handling specially crafted XML document\npayloads (CVE-2022-23437)\n\n* artemis-commons: Apache ActiveMQ Artemis DoS (CVE-2022-23913)\n\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n\n* jboss-client: memory leakage in remote client transaction (CVE-2022-0853)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nBefore applying this update, back up your existing Red Hat JBoss Enterprise\nApplication Platform installation and deployed applications. \n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data\n2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way\n2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling\n2039403 - CVE-2021-42392 h2: Remote Code Execution in Console\n2041472 - CVE-2022-21299 OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646)\n2044596 - CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI\n2047200 - CVE-2022-23437 xerces-j2: infinite loop when handling specially crafted XML document payloads\n2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors\n2060725 - CVE-2022-0853 jboss-client: memory leakage in remote client transaction\n2060929 - CVE-2022-0866 wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled\n2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS\n2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr\n2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects\n2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale\n2073890 - CVE-2022-1319 undertow: Double AJP response for 400 from EAP 7 results in CPING failures\n\n6. JIRA issues fixed (https://issues.jboss.org/):\n\nJBEAP-23120 - Tracker bug for the EAP 7.4.5 release for RHEL-7\nJBEAP-23171 - (7.4.z) Upgrade HAL from 3.3.9.Final-redhat-00001 to 3.3.12.Final-redhat-00001\nJBEAP-23194 - Upgrade hibernate-validator from 6.0.22.Final-redhat-00002 to 6.0.23-redhat-00001\nJBEAP-23241 - [GSS](7.4.z) Upgrade jberet from 1.3.9 to 1.3.9.SP1\nJBEAP-23299 - (7.4.z) Upgrade Artemis from 2.16.0.redhat-00034 to 2.16.0.redhat-00042\nJBEAP-23300 - [GSS](7.4.z) Upgrade JBoss Remoting from 5.0.23.SP1 to 5.0.24.SP1\nJBEAP-23312 - (7.4.z) Upgrade WildFly Core from 15.0.8.Final-redhat-00001 to 15.0.12.Final-redhat-00001\nJBEAP-23313 - (7.4.z) Upgrade Elytron from 1.15.11.Final-redhat-00002 to 1.15.12.Final-redhat-00001\nJBEAP-23336 - (7.4.z) Upgrade Hibernate ORM from 5.3.25.Final-redhat-00002 to 5.3.26.Final-redhat-00002\nJBEAP-23338 - [GSS](7.4.z) Upgrade Undertow from 2.2.16 to 2.2.17.SP3\nJBEAP-23339 - [GSS](7.4.z) Upgrade wildfly-http-ejb-client from 1.1.10 to 1.1.11.SP1\nJBEAP-23351 - (7.4.z) Upgrade org.apache.logging.log4j from 2.17.1.redhat-00001 to 2.17.1.redhat-00002\nJBEAP-23353 - (7.4.z) Upgrade wildfly-transaction-client from 1.1.14.Final-redhat-00001 to 1.1.15.Final-redhat-x\nJBEAP-23429 - [PM](7.4.z) JDK17 Update Tested Configurations page and make note in Update release notes\nJBEAP-23432 - [GSS](7.4.z) Upgrade JSF API from 3.0.0.SP04 to 3.0.0.SP05\nJBEAP-23451 - [PST] (7.4.z) Upgrade to FasterXML Jackson to 2.12.6.redhat-00001 and Jackson Databind to 2.12.6.1.redhat-00003\nJBEAP-23531 - [GSS](7.4.z) Upgrade Undertow from 2.2.17.SP3 to 2.2.17.SP4\nJBEAP-23532 - (7.4.z) Upgrade WildFly Core from 15.0.12.Final-redhat-00001 to 15.0.13.Final-redhat-00001\n\n7. Package List:\n\nRed Hat JBoss EAP 7.4 for RHEL 7 Server:\n\nSource:\neap7-activemq-artemis-2.16.0-9.redhat_00042.1.el7eap.src.rpm\neap7-h2database-1.4.197-2.redhat_00004.1.el7eap.src.rpm\neap7-hal-console-3.3.12-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-hibernate-5.3.26-1.Final_redhat_00002.2.el7eap.src.rpm\neap7-hibernate-validator-6.0.23-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-jackson-annotations-2.12.6-1.redhat_00001.1.el7eap.src.rpm\neap7-jackson-core-2.12.6-1.redhat_00001.1.el7eap.src.rpm\neap7-jackson-databind-2.12.6.1-1.redhat_00003.1.el7eap.src.rpm\neap7-jackson-jaxrs-providers-2.12.6-1.redhat_00001.1.el7eap.src.rpm\neap7-jackson-modules-base-2.12.6-1.redhat_00001.1.el7eap.src.rpm\neap7-jackson-modules-java8-2.12.6-1.redhat_00001.1.el7eap.src.rpm\neap7-jberet-1.3.9-1.SP1_redhat_00001.1.el7eap.src.rpm\neap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP05_redhat_00002.1.el7eap.src.rpm\neap7-jboss-remoting-5.0.24-1.SP1_redhat_00001.1.el7eap.src.rpm\neap7-jboss-server-migration-1.10.0-16.Final_redhat_00015.1.el7eap.src.rpm\neap7-jboss-xnio-base-3.8.7-1.SP1_redhat_00001.1.el7eap.src.rpm\neap7-log4j-2.17.1-2.redhat_00002.1.el7eap.src.rpm\neap7-netty-4.1.72-4.Final_redhat_00001.1.el7eap.src.rpm\neap7-netty-tcnative-2.0.48-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-netty-transport-native-epoll-4.1.72-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-snakeyaml-1.29.0-1.redhat_00001.2.el7eap.src.rpm\neap7-undertow-2.2.17-2.SP4_redhat_00001.1.el7eap.src.rpm\neap7-wildfly-7.4.5-3.GA_redhat_00001.1.el7eap.src.rpm\neap7-wildfly-elytron-1.15.12-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-wildfly-http-client-1.1.11-1.SP1_redhat_00001.1.el7eap.src.rpm\neap7-wildfly-transaction-client-1.1.15-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-xerces-j2-2.12.0-3.SP04_redhat_00001.1.el7eap.src.rpm\n\nnoarch:\neap7-activemq-artemis-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-cli-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-commons-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-core-client-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-dto-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-hornetq-protocol-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-hqclient-protocol-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-jdbc-store-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-jms-client-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-jms-server-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-journal-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-ra-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-selector-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-server-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-service-extensions-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-activemq-artemis-tools-2.16.0-9.redhat_00042.1.el7eap.noarch.rpm\neap7-h2database-1.4.197-2.redhat_00004.1.el7eap.noarch.rpm\neap7-hal-console-3.3.12-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-hibernate-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm\neap7-hibernate-core-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm\neap7-hibernate-entitymanager-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm\neap7-hibernate-envers-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm\neap7-hibernate-java8-5.3.26-1.Final_redhat_00002.2.el7eap.noarch.rpm\neap7-hibernate-validator-6.0.23-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-hibernate-validator-cdi-6.0.23-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-annotations-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-core-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-databind-2.12.6.1-1.redhat_00003.1.el7eap.noarch.rpm\neap7-jackson-datatype-jdk8-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-datatype-jsr310-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-jaxrs-base-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-jaxrs-json-provider-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-module-jaxb-annotations-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-modules-base-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-modules-java8-2.12.6-1.redhat_00001.1.el7eap.noarch.rpm\neap7-jberet-1.3.9-1.SP1_redhat_00001.1.el7eap.noarch.rpm\neap7-jberet-core-1.3.9-1.SP1_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP05_redhat_00002.1.el7eap.noarch.rpm\neap7-jboss-remoting-5.0.24-1.SP1_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-server-migration-1.10.0-16.Final_redhat_00015.1.el7eap.noarch.rpm\neap7-jboss-server-migration-cli-1.10.0-16.Final_redhat_00015.1.el7eap.noarch.rpm\neap7-jboss-server-migration-core-1.10.0-16.Final_redhat_00015.1.el7eap.noarch.rpm\neap7-jboss-xnio-base-3.8.7-1.SP1_redhat_00001.1.el7eap.noarch.rpm\neap7-log4j-2.17.1-2.redhat_00002.1.el7eap.noarch.rpm\neap7-netty-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-all-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-buffer-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-dns-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-haproxy-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-http-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-http2-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-memcache-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-mqtt-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-redis-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-smtp-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-socks-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-stomp-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-codec-xml-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-common-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-handler-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-handler-proxy-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-resolver-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-resolver-dns-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-resolver-dns-classes-macos-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-tcnative-2.0.48-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-classes-epoll-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-classes-kqueue-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-native-unix-common-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-rxtx-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-sctp-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-netty-transport-udt-4.1.72-4.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-snakeyaml-1.29.0-1.redhat_00001.2.el7eap.noarch.rpm\neap7-undertow-2.2.17-2.SP4_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-elytron-1.15.12-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-elytron-tool-1.15.12-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-http-client-common-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-http-ejb-client-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-http-naming-client-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-http-transaction-client-1.1.11-1.SP1_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-java-jdk11-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-java-jdk8-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-javadocs-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-modules-7.4.5-3.GA_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-transaction-client-1.1.15-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-xerces-j2-2.12.0-3.SP04_redhat_00001.1.el7eap.noarch.rpm\n\nx86_64:\neap7-netty-transport-native-epoll-4.1.72-1.Final_redhat_00001.1.el7eap.x86_64.rpm\neap7-netty-transport-native-epoll-debuginfo-4.1.72-1.Final_redhat_00001.1.el7eap.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n8. References:\n\nhttps://access.redhat.com/security/cve/CVE-2020-36518\nhttps://access.redhat.com/security/cve/CVE-2021-37136\nhttps://access.redhat.com/security/cve/CVE-2021-37137\nhttps://access.redhat.com/security/cve/CVE-2021-42392\nhttps://access.redhat.com/security/cve/CVE-2021-43797\nhttps://access.redhat.com/security/cve/CVE-2022-0084\nhttps://access.redhat.com/security/cve/CVE-2022-0853\nhttps://access.redhat.com/security/cve/CVE-2022-0866\nhttps://access.redhat.com/security/cve/CVE-2022-1319\nhttps://access.redhat.com/security/cve/CVE-2022-21299\nhttps://access.redhat.com/security/cve/CVE-2022-21363\nhttps://access.redhat.com/security/cve/CVE-2022-23221\nhttps://access.redhat.com/security/cve/CVE-2022-23437\nhttps://access.redhat.com/security/cve/CVE-2022-23913\nhttps://access.redhat.com/security/cve/CVE-2022-24785\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/\n\n9. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2022 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYp5qBdzjgjWX9erEAQgudg/+KIuaXQZawyOnSNF4IIR8WYnfcW8Ojsfk\n27VFNY6WCSn07IkzyDFuCLHsmUEesiJvpYssOx4CuX1YEmlF7S/KepyI6QDVC+BV\nhFAfaVE1gdrny1sqaS8k4VFE9rHODML1q2yyeUNgdtL4YGdOeduqOEn6Q6GS/rvh\n+8vCZFkFb9QKxxItc1xvxvU8kAomQun+eqr040IHuF0jAZfLI18/5vzsPqeQG+Ua\nqU4CG5FucVytEkJCnQ8Ci3QH3FCm/BPqotyhO3OAi1b5+db+fT+UqJpiuHYCsPcQ\n8DRKizi/ia6Rq5b/OTFodA8lo6U3nDIljJ7QcuADgGzX4fak+BxQNkQMfhS4/b01\n/yFU034PmQBTJpm0r5Vb4V4lBWzAi5QMDttI4wncuM3VGbxSoEEXzdzFHVzgoy1r\nqDGfJ1C5VnSJeLawDa6tGyndBiVga/PPgx0CoSIPsAYnjXYfJM1DsohUXppTL1k+\nz8W2UIoIGqycYdCm60uJ+qbzqLlODNXmXn154OJL3O/o6Nz7O+uqVt+WfaNnwO/Y\nwf85wHGjzLaOALZfly/fENQr5Aijb9WqavN3tbcipj6+F4D3OLJMOSap8+TOXF3C\nStEX/XQpQASMmemvHJr/8c9Fx6tumJ+hLI4EyXfNdlYFJFQY4l4J0X6+mH047B3G\nR+RN8v8nzXQ{m6\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. JIRA issues fixed (https://issues.jboss.org/):\n\nLOG-1897 - Applying cluster state is causing elasticsearch to hit an issue and become unusable\nLOG-1925 - [release-5.3] No datapoint for CPU on openshift-logging dashboard\nLOG-1962 - [release-5.3] CLO panic: runtime error: slice bounds out of range [:-1]\n\n6. The purpose of this text-only errata is to inform you\nabout the security issues fixed. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/):\n\n2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data\n2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way\n2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data\n2129809 - CVE-2022-36944 scala: deserialization gadget chain\n2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution\n2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files\n2215229 - CVE-2023-2976 guava: insecure temporary directory creation\n2215393 - CVE-2023-34453 snappy-java: Integer overflow in shuffle leads to DoS\n2215394 - CVE-2023-34454 snappy-java: Integer overflow in compress leads to DoS\n2215445 - CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS\n2215465 - CVE-2023-33201 bouncycastle: potential blind LDAP injection attack using a self-signed certificate\n2216888 - CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM\n2229295 - CVE-2023-3635 okio: GzipSource class improper exception handling\n2236340 - CVE-2023-26048 jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()\n2236341 - CVE-2023-26049 jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies\n\n5. JIRA issues fixed (https://issues.redhat.com/):\n\nENTMQST-5081 - [PROD] Create RHSA erratum for Streams 2.5.0\n\n6. JIRA issues fixed (https://issues.jboss.org/):\n\nLOG-2437 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.4]\nLOG-2442 - Log file metric exporter not working with /var/log/pods\nLOG-2448 - Audit and journald logs cannot be viewed from LokiStack, when logs are forwarded with Vector as collector. Description:\n\nAMQ Broker is a high-performance messaging implementation based on ActiveMQ\nArtemis. It uses an asynchronous journal for fast message persistence, and\nsupports multiple languages, protocols, and platforms. For further information, refer to the release notes linked to\nin the References section. \n\nSecurity Fix(es):\n\n* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for\ndecompressed data (CVE-2021-37136)\n\n* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may\nbuffer skippable chunks in an unnecessary way (CVE-2021-37137)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). Bugs fixed (https://bugzilla.redhat.com/):\n\n2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data\n2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way\n\n5. Description:\n\nRed Hat AMQ Streams, based on the Apache Kafka project, offers a\ndistributed backbone that allows microservices and other applications to\nshare data with extremely high throughput and extremely low latency", sources: [ { db: "NVD", id: "CVE-2021-37137", }, { db: "VULHUB", id: "VHN-398973", }, { db: "PACKETSTORM", id: "167424", }, { db: "PACKETSTORM", id: "167423", }, { db: "PACKETSTORM", id: "165288", }, { db: "PACKETSTORM", id: "166408", }, { db: "PACKETSTORM", id: "174675", }, { db: "PACKETSTORM", id: "167142", }, { db: "PACKETSTORM", id: "167422", }, { db: "PACKETSTORM", id: "165105", }, { db: "PACKETSTORM", id: "165564", }, ], trust: 1.8, }, exploit_availability: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { reference: "https://www.scap.org.cn/vuln/vhn-398973", trust: 0.1, type: "unknown", }, ], sources: [ { db: "VULHUB", id: "VHN-398973", }, ], }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2021-37137", trust: 2, }, { db: "PACKETSTORM", id: "166408", trust: 0.2, }, { db: "PACKETSTORM", id: "167142", trust: 0.2, }, { db: "PACKETSTORM", id: "167424", trust: 0.2, }, { db: "PACKETSTORM", id: "165564", trust: 0.2, }, { db: "PACKETSTORM", id: "165105", trust: 0.2, }, { db: "PACKETSTORM", id: "167423", trust: 0.2, }, { db: "PACKETSTORM", id: "167422", trust: 0.2, }, { db: "PACKETSTORM", id: "170498", trust: 0.1, }, { db: "PACKETSTORM", id: "169918", trust: 0.1, }, { db: "PACKETSTORM", id: "167122", trust: 0.1, }, { db: "PACKETSTORM", id: "164936", trust: 0.1, }, { db: "PACKETSTORM", id: "168657", trust: 0.1, }, { db: "PACKETSTORM", id: "165980", trust: 0.1, }, { db: "PACKETSTORM", id: "167140", trust: 0.1, }, { db: "PACKETSTORM", id: "167964", trust: 0.1, }, { db: "VULHUB", id: "VHN-398973", trust: 0.1, }, { db: "PACKETSTORM", id: "165288", trust: 0.1, }, { db: "PACKETSTORM", id: "174675", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-398973", }, { db: "PACKETSTORM", id: "167424", }, { db: "PACKETSTORM", id: "167423", }, { db: "PACKETSTORM", id: "165288", }, { db: "PACKETSTORM", id: "166408", }, { db: "PACKETSTORM", id: "174675", }, { db: "PACKETSTORM", id: "167142", }, { db: "PACKETSTORM", id: "167422", }, { db: "PACKETSTORM", id: "165105", }, { db: "PACKETSTORM", id: "165564", }, { db: "NVD", id: "CVE-2021-37137", }, ], }, id: "VAR-202110-1705", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VULHUB", id: "VHN-398973", }, ], trust: 0.01, }, last_update_date: "2024-11-29T22:01:36.083000Z", problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-400", trust: 1.1, }, ], sources: [ { db: "VULHUB", id: "VHN-398973", }, { db: "NVD", id: "CVE-2021-37137", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 1.1, url: "https://security.netapp.com/advisory/ntap-20220210-0012/", }, { trust: 1.1, url: "https://www.debian.org/security/2023/dsa-5316", }, { trust: 1.1, url: "https://github.com/netty/netty/security/advisories/ghsa-9vjp-v76f-g363", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpuapr2022.html", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { trust: 1.1, url: "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html", }, { trust: 1, url: "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3ccommits.druid.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3ccommits.druid.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3ccommits.druid.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3ccommits.druid.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3ccommits.druid.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3cdev.tinkerpop.apache.org%3e", }, { trust: 0.9, url: "https://access.redhat.com/security/team/contact/", }, { trust: 0.9, url: "https://access.redhat.com/security/cve/cve-2021-37137", }, { trust: 0.9, url: "https://access.redhat.com/security/cve/cve-2021-37136", }, { trust: 0.9, url: "https://bugzilla.redhat.com/):", }, { trust: 0.9, url: "https://listman.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.8, url: "https://nvd.nist.gov/vuln/detail/cve-2021-37137", }, { trust: 0.8, url: "https://nvd.nist.gov/vuln/detail/cve-2021-37136", }, { trust: 0.7, url: "https://access.redhat.com/security/updates/classification/#moderate", }, { trust: 0.5, url: "https://issues.jboss.org/):", }, { trust: 0.4, url: "https://nvd.nist.gov/vuln/detail/cve-2021-43797", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2021-42392", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2021-43797", }, { trust: 0.4, url: "https://nvd.nist.gov/vuln/detail/cve-2021-42392", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0084", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-23437", }, { trust: 0.3, url: "https://access.redhat.com/articles/11258", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2022-0866", }, { trust: 0.3, url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2022-24785", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2022-0084", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2022-21299", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21299", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-23913", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2020-36518", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-23221", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-24785", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-1319", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2020-36518", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21363", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2022-1319", }, { trust: 0.3, url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0866", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0853", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2022-23437", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2022-23221", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2022-0853", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2022-23913", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2022-21363", }, { trust: 0.2, url: "https://access.redhat.com/security/team/key/", }, { trust: 0.2, url: "https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3ccommits.druid.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3ccommits.druid.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3ccommits.druid.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3ccommits.druid.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3ccommits.druid.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3cdev.tinkerpop.apache.org%3e", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2022:4919", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2022:4918", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-16135", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-3200", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-25013", }, { trust: 0.1, url: "https://access.redhat.com/security/vulnerabilities/rhsb-2021-009", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-25012", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-35522", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-5827", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-35524", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-25013", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-25009", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-27645", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-33574", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-13435", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-5827", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-24370", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-43527", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:5129", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-14145", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-13751", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-25014", }, { trust: 0.1, url: "https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-19603", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-14145", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-25012", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-35521", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-35942", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-17594", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-35524", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-24370", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-3572", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-12762", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-36086", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-35522", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-13750", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-13751", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-22898", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-12762", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-16135", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-36084", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-44228", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-17594", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-17541", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-3800", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-36087", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-36331", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-3712", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-31535", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-35523", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-3445", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-13435", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-19603", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-22925", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-36330", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-18218", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-20232", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-20266", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-20838", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-22876", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-20231", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-36332", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-14155", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-25010", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-20838", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-17541", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-25014", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-36085", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-20317", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-21409", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-33560", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-43267", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-17595", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-3481", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-42574", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-14155", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-25009", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-25010", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-35523", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-28153", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-36331", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-13750", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-3426", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-18218", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-3580", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-17595", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-36330", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-35521", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-28170", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-28168", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-4178", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-40690", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-28170", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-2471", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-30129", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-22569", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-15522", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2022:1013", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-8908", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-26291", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-26291", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-4178", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-41269", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-15522", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-2471", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-8908", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-41269", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q2", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-28168", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-22569", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-30129", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=red.hat.integration&version=2022-q2", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-40690", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-34455", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-34455", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-3635", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-36944", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-1471", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-2976", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-34462", }, { trust: 0.1, url: "https://access.redhat.com/security/updates/classification/#important", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-2976", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-26048", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-34454", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2023:5165", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-0482", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_amq_streams/2.5", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-24823", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-34454", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-1471", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-36944", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-24823", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-26048", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-34453", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-33201", }, { trust: 0.1, url: "https://issues.redhat.com/):", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-33201", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-26049", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-26049", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=jboss.amq.streams&version=2.5.0", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-34462", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2023-0482", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2023-34453", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-21426", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21443", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-21476", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-1154", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21496", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-1154", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-21698", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-21496", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-25636", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-25636", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21434", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-4028", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-21443", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-21434", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-0778", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-25032", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-25032", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-4028", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21426", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21476", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-0778", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2022:2216", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-21698", }, { trust: 0.1, url: "https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2022-1271", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2022-1271", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=securitypatches&product=appplatform&version=7.4", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2022:4922", }, { trust: 0.1, url: "https://access.redhat.com/security/updates/classification/#low", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2021:4851", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=jboss.amq.broker&version=7.9.1", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_amq/2021.q4", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-44832", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-44832", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-34429", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-38153", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=jboss.amq.streams&version=2.0.0", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2021-34429", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2022:0138", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2021-38153", }, ], sources: [ { db: "VULHUB", id: "VHN-398973", }, { db: "PACKETSTORM", id: "167424", }, { db: "PACKETSTORM", id: "167423", }, { db: "PACKETSTORM", id: "165288", }, { db: "PACKETSTORM", id: "166408", }, { db: "PACKETSTORM", id: "174675", }, { db: "PACKETSTORM", id: "167142", }, { db: "PACKETSTORM", id: "167422", }, { db: "PACKETSTORM", id: "165105", }, { db: "PACKETSTORM", id: "165564", }, { db: "NVD", id: "CVE-2021-37137", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "VULHUB", id: "VHN-398973", }, { db: "PACKETSTORM", id: "167424", }, { db: "PACKETSTORM", id: "167423", }, { db: "PACKETSTORM", id: "165288", }, { db: "PACKETSTORM", id: "166408", }, { db: "PACKETSTORM", id: "174675", }, { db: "PACKETSTORM", id: "167142", }, { db: "PACKETSTORM", id: "167422", }, { db: "PACKETSTORM", id: "165105", }, { db: "PACKETSTORM", id: "165564", }, { db: "NVD", id: "CVE-2021-37137", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2021-10-19T00:00:00", db: "VULHUB", id: "VHN-398973", }, { date: "2022-06-07T15:15:05", db: "PACKETSTORM", id: "167424", }, { date: "2022-06-07T15:14:53", db: "PACKETSTORM", id: "167423", }, { date: "2021-12-15T15:22:36", db: "PACKETSTORM", id: "165288", }, { date: "2022-03-23T15:52:53", db: "PACKETSTORM", id: "166408", }, { date: "2023-09-15T13:53:16", db: "PACKETSTORM", id: "174675", }, { date: "2022-05-12T15:55:09", db: "PACKETSTORM", id: "167142", }, { date: "2022-06-07T15:14:37", db: "PACKETSTORM", id: "167422", }, { date: "2021-12-01T16:25:45", db: "PACKETSTORM", id: "165105", }, { date: "2022-01-14T15:29:02", db: "PACKETSTORM", id: "165564", }, { date: "2021-10-19T15:15:07.757000", db: "NVD", id: "CVE-2021-37137", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2023-02-24T00:00:00", db: "VULHUB", id: "VHN-398973", }, { date: "2023-11-07T03:36:54.510000", db: "NVD", id: "CVE-2021-37137", }, ], }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Red Hat Security Advisory 2022-4919-01", sources: [ { db: "PACKETSTORM", id: "167424", }, ], trust: 0.1, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "code execution, memory leak", sources: [ { db: "PACKETSTORM", id: "167424", }, { db: "PACKETSTORM", id: "167423", }, { db: "PACKETSTORM", id: "166408", }, { db: "PACKETSTORM", id: "167422", }, ], trust: 0.4, }, }