Vulnerabilites related to Red Hat - Red Hat Build of Apache Camel 4.8 for Quarkus 3.15
cve-2025-2240
Vulnerability from cvelistv5
Published
2025-03-12 14:55
Modified
2025-04-02 16:50
Severity ?
EPSS score ?
Summary
A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2025:3376 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2025:3541 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2025-2240 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2351452 | issue-tracking, x_refsource_REDHAT | |
| https://github.com/advisories/GHSA-gfh6-3pqw-x2j4 |
Impacted products
{ containers: { cna: { affected: [ { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:camel_quarkus:3", ], defaultStatus: "unaffected", packageName: "com.redhat.quarkus.platform/quarkus-camel-bom", product: "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:camel_quarkus:3", ], defaultStatus: "unaffected", packageName: "com.redhat.quarkus.platform/quarkus-cxf-bom", product: "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:quarkus:3.15::el8", ], defaultStatus: "unaffected", packageName: "io.smallrye/smallrye-fault-tolerance-core", product: "Red Hat build of Quarkus 3.15.4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:camel_spring_boot:4", ], defaultStatus: "affected", packageName: "io.smallrye/smallrye-fault-tolerance-core", product: "Red Hat build of Apache Camel for Spring Boot 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:service_registry:2", ], defaultStatus: "affected", packageName: "io.smallrye/smallrye-fault-tolerance-core", product: "Red Hat build of Apicurio Registry 2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:apicurio_registry:3", ], defaultStatus: "affected", packageName: "io.smallrye/smallrye-fault-tolerance-core", product: "Red Hat build of Apicurio Registry 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:3", ], defaultStatus: "unaffected", packageName: "io.smallrye/smallrye-fault-tolerance-apiimpl", product: "Red Hat build of Quarkus", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_fuse:7", ], defaultStatus: "unknown", packageName: "io.smallrye/smallrye-fault-tolerance-core", product: "Red Hat Fuse 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:integration:1", ], defaultStatus: "affected", packageName: "io.smallrye/smallrye-fault-tolerance-core", product: "Red Hat Integration Camel K 1", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7", ], defaultStatus: "unaffected", packageName: "io.smallrye/smallrye-fault-tolerance-core", product: "Red Hat JBoss Enterprise Application Platform 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:8", ], defaultStatus: "unaffected", packageName: "io.smallrye/smallrye-fault-tolerance-core", product: "Red Hat JBoss Enterprise Application Platform 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jbosseapxp", ], defaultStatus: "unaffected", packageName: "io.smallrye/smallrye-fault-tolerance-core", product: "Red Hat JBoss Enterprise Application Platform Expansion Pack", vendor: "Red Hat", }, ], datePublic: "2025-03-12T00:00:00.000Z", descriptions: [ { lang: "en", value: "A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Important", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-1325", description: "Improperly Controlled Sequential Memory Allocation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-04-02T16:50:15.786Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2025:3376", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:3376", }, { name: "RHSA-2025:3541", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:3541", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2025-2240", }, { name: "RHBZ#2351452", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2351452", }, { url: "https://github.com/advisories/GHSA-gfh6-3pqw-x2j4", }, ], timeline: [ { lang: "en", time: "2025-03-12T02:23:44.660000+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2025-03-12T00:00:00+00:00", value: "Made public.", }, ], title: "Smallrye-fault-tolerance: smallrye fault tolerance", workarounds: [ { lang: "en", value: "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", }, ], x_redhatCweChain: "CWE-1325: Improperly Controlled Sequential Memory Allocation", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2025-2240", datePublished: "2025-03-12T14:55:15.889Z", dateReserved: "2025-03-12T02:36:02.101Z", dateUpdated: "2025-04-02T16:50:15.786Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-12397
Vulnerability from cvelistv5
Published
2024-12-12 09:05
Modified
2025-03-19 21:05
Severity ?
EPSS score ?
Summary
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with
certain value-delimiting characters in incoming requests. This issue could
allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie
values or spoof arbitrary additional cookie values, leading to unauthorized
data access or modification. The main threat from this flaw impacts data
confidentiality and integrity.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2025:0900 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2025:1082 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2025:3018 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2024-12397 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2331298 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ |
Version: 0 ≤ |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-12397", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-12-12T15:31:47.316503Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-12-12T15:45:08.143Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://github.com/quarkusio/quarkus-http", defaultStatus: "unaffected", packageName: "quarkus-http", versions: [ { lessThan: "5.3.4", status: "affected", version: "0", versionType: "semver", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:cryostat:4::el9", ], defaultStatus: "affected", packageName: "cryostat/cryostat-agent-init-rhel9", product: "Cryostat 4 on RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0.5.0-6", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:cryostat:4::el9", ], defaultStatus: "affected", packageName: "cryostat/cryostat-db-rhel9", product: "Cryostat 4 on RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "4.0.0-7", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:cryostat:4::el9", ], defaultStatus: "affected", packageName: "cryostat/cryostat-grafana-dashboard-rhel9", product: "Cryostat 4 on RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "4.0.0-7", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:cryostat:4::el9", ], defaultStatus: "affected", packageName: "cryostat/cryostat-openshift-console-plugin-rhel9", product: "Cryostat 4 on RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "4.0.0-7", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:cryostat:4::el9", ], defaultStatus: "affected", packageName: "cryostat/cryostat-operator-bundle", product: "Cryostat 4 on RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "4.0.0-7", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:cryostat:4::el9", ], defaultStatus: "affected", packageName: "cryostat/cryostat-ose-oauth-proxy-rhel9", product: "Cryostat 4 on RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "4.0.0-7", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:cryostat:4::el9", ], defaultStatus: "affected", packageName: "cryostat/cryostat-reports-rhel9", product: "Cryostat 4 on RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "4.0.0-7", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:cryostat:4::el9", ], defaultStatus: "affected", packageName: "cryostat/cryostat-rhel9", product: "Cryostat 4 on RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "4.0.0-7", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:cryostat:4::el9", ], defaultStatus: "affected", packageName: "cryostat/cryostat-rhel9-operator", product: "Cryostat 4 on RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "4.0.0-7", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:cryostat:4::el9", ], defaultStatus: "affected", packageName: "cryostat/cryostat-storage-rhel9", product: "Cryostat 4 on RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "4.0.0-7", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:cryostat:4::el9", ], defaultStatus: "affected", packageName: "cryostat/jfr-datasource-rhel9", product: "Cryostat 4 on RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "4.0.0-7", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:camel_quarkus:3.15", ], defaultStatus: "unaffected", packageName: "com.redhat.quarkus.platform/quarkus-camel-bom", product: "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:camel_quarkus:3.15", ], defaultStatus: "unaffected", packageName: "com.redhat.quarkus.platform/quarkus-cxf-bom", product: "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:quarkus:3.15::el8", ], defaultStatus: "unaffected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat build of Quarkus 3.15.3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:cryostat:3", ], defaultStatus: "affected", packageName: "io.quarkus.http/quarkus-http-core", product: "Cryostat 3", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:rhboac_hawtio:4", ], defaultStatus: "affected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat build of Apache Camel - HawtIO 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:service_registry:2", ], defaultStatus: "affected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat build of Apicurio Registry 2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:build_keycloak:", ], defaultStatus: "affected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat Build of Keycloak", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:optaplanner:::el6", ], defaultStatus: "affected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat build of OptaPlanner 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_fuse:7", ], defaultStatus: "unknown", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat Fuse 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:integration:1", ], defaultStatus: "affected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat Integration Camel K 1", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:8", ], defaultStatus: "unaffected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat JBoss Enterprise Application Platform 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jbosseapxp", ], defaultStatus: "unaffected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat JBoss Enterprise Application Platform Expansion Pack", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", ], defaultStatus: "affected", packageName: "io.quarkus.http/quarkus-http-core", product: "Red Hat Process Automation 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:amq_streams:1", ], defaultStatus: "affected", packageName: "io.quarkus.http/quarkus-http-core", product: "streams for Apache Kafka", vendor: "Red Hat", }, ], datePublic: "2024-12-10T00:00:00.000Z", descriptions: [ { lang: "en", value: "A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with\ncertain value-delimiting characters in incoming requests. This issue could\nallow an attacker to construct a cookie value to exfiltrate HttpOnly cookie\nvalues or spoof arbitrary additional cookie values, leading to unauthorized\ndata access or modification. The main threat from this flaw impacts data\nconfidentiality and integrity.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Moderate", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-444", description: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-19T21:05:39.846Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2025:0900", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:0900", }, { name: "RHSA-2025:1082", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:1082", }, { name: "RHSA-2025:3018", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:3018", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2024-12397", }, { name: "RHBZ#2331298", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2331298", }, ], timeline: [ { lang: "en", time: "2024-12-10T01:15:33.380000+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2024-12-10T00:00:00+00:00", value: "Made public.", }, ], title: "Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling", workarounds: [ { lang: "en", value: "Currently, no mitigation is available for this vulnerability.", }, ], x_redhatCweChain: "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2024-12397", datePublished: "2024-12-12T09:05:28.451Z", dateReserved: "2024-12-10T01:22:12.303Z", dateUpdated: "2025-03-19T21:05:39.846Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2025-1247
Vulnerability from cvelistv5
Published
2025-02-13 13:26
Modified
2025-03-15 09:18
Severity ?
EPSS score ?
Summary
A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2025:1884 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2025:1885 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2025:2067 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2025-1247 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2345172 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ |
Version: 0 ≤ |
||||||||||||||||||
|
|||||||||||||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2025-1247", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-13T14:11:32.786242Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-13T14:11:38.780Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://github.com/quarkusio/quarkus/", defaultStatus: "unaffected", packageName: "quarkus-rest", versions: [ { lessThan: "3.18.2", status: "affected", version: "0", versionType: "semver", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:camel_quarkus:3.15", ], defaultStatus: "unaffected", packageName: "io.quarkus/quarkus-rest", product: "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:3.15::el8", ], defaultStatus: "unaffected", packageName: "io.quarkus/quarkus-rest", product: "Red Hat build of Quarkus 3.15.3.SP1", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:3.8::el8", ], defaultStatus: "unaffected", packageName: "io.quarkus/quarkus-rest", product: "Red Hat build of Quarkus 3.8.6.SP3", vendor: "Red Hat", }, ], datePublic: "2025-02-12T00:00:00.000Z", descriptions: [ { lang: "en", value: "A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Important", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 8.3, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-488", description: "Exposure of Data Element to Wrong Session", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-15T09:18:44.686Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2025:1884", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:1884", }, { name: "RHSA-2025:1885", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:1885", }, { name: "RHSA-2025:2067", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:2067", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2025-1247", }, { name: "RHBZ#2345172", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2345172", }, ], timeline: [ { lang: "en", time: "2025-02-12T09:30:25.106000+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2025-02-12T00:00:00+00:00", value: "Made public.", }, ], title: "Io.quarkus:quarkus-rest: quarkus rest endpoint request parameter leakage due to shared instance", workarounds: [ { lang: "en", value: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", }, ], x_redhatCweChain: "CWE-488: Exposure of Data Element to Wrong Session", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2025-1247", datePublished: "2025-02-13T13:26:26.992Z", dateReserved: "2025-02-12T09:43:11.716Z", dateUpdated: "2025-03-15T09:18:44.686Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2025-1634
Vulnerability from cvelistv5
Published
2025-02-26 16:56
Modified
2025-03-18 09:19
Severity ?
EPSS score ?
Summary
A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2025:1884 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2025:1885 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2025:2067 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2025-1634 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2347319 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ |
Version: 0 ≤ Version: 0 ≤ |
||||||||||||||||||
|
|||||||||||||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2025-1634", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-26T17:22:33.342704Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-26T17:25:47.506Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://github.com/quarkusio/quarkus", defaultStatus: "unaffected", packageName: "quarkus-resteasy", versions: [ { lessThan: "3.8.6", status: "affected", version: "0", versionType: "semver", }, { lessThan: "3.15.3", status: "affected", version: "0", versionType: "semver", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:camel_quarkus:3.15", ], defaultStatus: "unaffected", packageName: "quarkus-resteasy", product: "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:3.15::el8", ], defaultStatus: "unaffected", packageName: "quarkus-resteasy", product: "Red Hat build of Quarkus 3.15.3.SP1", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:3.8::el8", ], defaultStatus: "unaffected", packageName: "quarkus-resteasy", product: "Red Hat build of Quarkus 3.8.6.SP3", vendor: "Red Hat", }, ], datePublic: "2025-02-24T00:00:00.000Z", descriptions: [ { lang: "en", value: "A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Important", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-401", description: "Missing Release of Memory after Effective Lifetime", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-18T09:19:30.590Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2025:1884", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:1884", }, { name: "RHSA-2025:1885", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:1885", }, { name: "RHSA-2025:2067", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2025:2067", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2025-1634", }, { name: "RHBZ#2347319", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2347319", }, ], timeline: [ { lang: "en", time: "2025-02-24T14:17:31.237000+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2025-02-24T00:00:00+00:00", value: "Made public.", }, ], title: "Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy classic when client requests timeout", workarounds: [ { lang: "en", value: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", }, ], x_redhatCweChain: "CWE-401: Missing Release of Memory after Effective Lifetime", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2025-1634", datePublished: "2025-02-26T16:56:23.869Z", dateReserved: "2025-02-24T14:23:22.369Z", dateUpdated: "2025-03-18T09:19:30.590Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }