All the vulnerabilites related to NetApp - StorageGRID
cve-2021-3114
Vulnerability from cvelistv5
Published
2021-01-26 02:23
Modified
2024-08-03 16:45
Severity ?
EPSS score ?
Summary
In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
References
| ▼ | URL | Tags |
|---|---|---|
| https://groups.google.com/g/golang-announce/c/mperVMGa98w | x_refsource_CONFIRM | |
| https://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871 | x_refsource_CONFIRM | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/ | vendor-advisory, x_refsource_FEDORA | |
| https://www.debian.org/security/2021/dsa-4848 | vendor-advisory, x_refsource_DEBIAN | |
| https://security.netapp.com/advisory/ntap-20210219-0001/ | x_refsource_CONFIRM | |
| https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html | mailing-list, x_refsource_MLIST | |
| https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html | mailing-list, x_refsource_MLIST | |
| https://security.gentoo.org/glsa/202208-02 | vendor-advisory, x_refsource_GENTOO |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:51.301Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/mperVMGa98w"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871"
},
{
"name": "FEDORA-2021-e435a8bb88",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/"
},
{
"name": "DSA-4848",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4848"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210219-0001/"
},
{
"name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html"
},
{
"name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html"
},
{
"name": "GLSA-202208-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T15:06:51",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://groups.google.com/g/golang-announce/c/mperVMGa98w"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871"
},
{
"name": "FEDORA-2021-e435a8bb88",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/"
},
{
"name": "DSA-4848",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4848"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210219-0001/"
},
{
"name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html"
},
{
"name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html"
},
{
"name": "GLSA-202208-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-3114",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/golang-announce/c/mperVMGa98w",
"refsource": "CONFIRM",
"url": "https://groups.google.com/g/golang-announce/c/mperVMGa98w"
},
{
"name": "https://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871",
"refsource": "CONFIRM",
"url": "https://github.com/golang/go/commit/d95ca9138026cbe40e0857d76a81a16d03230871"
},
{
"name": "FEDORA-2021-e435a8bb88",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/"
},
{
"name": "DSA-4848",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4848"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210219-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210219-0001/"
},
{
"name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html"
},
{
"name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html"
},
{
"name": "GLSA-202208-02",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-3114",
"datePublished": "2021-01-26T02:23:18",
"dateReserved": "2021-01-11T00:00:00",
"dateUpdated": "2024-08-03T16:45:51.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-8610
Vulnerability from cvelistv5
Published
2017-11-13 22:00
Modified
2024-08-06 02:27
Severity ?
EPSS score ?
Summary
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:27:40.949Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "93841",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/93841"
},
{
"name": "RHSA-2017:1659",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-1659.html"
},
{
"name": "RHSA-2017:1658",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1658"
},
{
"name": "RHSA-2017:1801",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1801"
},
{
"name": "RHSA-2017:0286",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0286.html"
},
{
"name": "RHSA-2017:1413",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1413"
},
{
"name": "RHSA-2017:2494",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2494"
},
{
"name": "FreeBSD-SA-16:35",
"tags": [
"vendor-advisory",
"x_refsource_FREEBSD",
"x_transferred"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:35.openssl.asc"
},
{
"name": "RHSA-2017:1414",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1414"
},
{
"name": "[oss-security] 20161024 CVE-2016-8610: SSL Death Alert: OpenSSL SSL/TLS SSL3_AL_WARNING undefined alert Remote DoS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2016/q4/224"
},
{
"name": "RHSA-2017:0574",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0574.html"
},
{
"name": "DSA-3773",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2017/dsa-3773"
},
{
"name": "RHSA-2017:1415",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-1415.html"
},
{
"name": "1037084",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1037084"
},
{
"name": "RHSA-2017:1802",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1802"
},
{
"name": "RHSA-2017:2493",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2493"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20171130-0001/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8610"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=af58be768ebb690f78530f796e92b8ae5c9a4401"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.360.cn/cve/CVE-2016-8610/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03897en_us"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.paloaltonetworks.com/CVE-2016-8610"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"status": "affected",
"version": "All 0.9.8"
},
{
"status": "affected",
"version": "All 1.0.1"
},
{
"status": "affected",
"version": "1.0.2 through 1.0.2h"
},
{
"status": "affected",
"version": "1.1.0"
}
]
}
],
"datePublic": "2016-10-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-20T21:14:51",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "93841",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/93841"
},
{
"name": "RHSA-2017:1659",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-1659.html"
},
{
"name": "RHSA-2017:1658",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1658"
},
{
"name": "RHSA-2017:1801",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1801"
},
{
"name": "RHSA-2017:0286",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0286.html"
},
{
"name": "RHSA-2017:1413",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1413"
},
{
"name": "RHSA-2017:2494",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2494"
},
{
"name": "FreeBSD-SA-16:35",
"tags": [
"vendor-advisory",
"x_refsource_FREEBSD"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:35.openssl.asc"
},
{
"name": "RHSA-2017:1414",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1414"
},
{
"name": "[oss-security] 20161024 CVE-2016-8610: SSL Death Alert: OpenSSL SSL/TLS SSL3_AL_WARNING undefined alert Remote DoS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2016/q4/224"
},
{
"name": "RHSA-2017:0574",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0574.html"
},
{
"name": "DSA-3773",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2017/dsa-3773"
},
{
"name": "RHSA-2017:1415",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-1415.html"
},
{
"name": "1037084",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1037084"
},
{
"name": "RHSA-2017:1802",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1802"
},
{
"name": "RHSA-2017:2493",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2493"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20171130-0001/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8610"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=af58be768ebb690f78530f796e92b8ae5c9a4401"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.360.cn/cve/CVE-2016-8610/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03897en_us"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.paloaltonetworks.com/CVE-2016-8610"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-8610",
"datePublished": "2017-11-13T22:00:00Z",
"dateReserved": "2016-10-12T00:00:00",
"dateUpdated": "2024-08-06T02:27:40.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-27006
Vulnerability from cvelistv5
Published
2021-12-23 19:48
Modified
2024-08-03 20:40
Severity ?
EPSS score ?
Summary
StorageGRID (formerly StorageGRID Webscale) versions 11.5 prior to 11.5.0.5 are susceptible to a vulnerability which may allow an administrative user to escalate their privileges and modify settings in SANtricity System Manager.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security.netapp.com/advisory/ntap-20211221-0001/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | StorageGRID (formerly StorageGRID Webscale) |
Version: Versions 11.5 prior to 11.5.0.5 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:40:47.120Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211221-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "StorageGRID (formerly StorageGRID Webscale)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Versions 11.5 prior to 11.5.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "StorageGRID (formerly StorageGRID Webscale) versions 11.5 prior to 11.5.0.5 are susceptible to a vulnerability which may allow an administrative user to escalate their privileges and modify settings in SANtricity System Manager."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Privilege Escalation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-23T19:48:47",
"orgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"shortName": "netapp"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.netapp.com/advisory/ntap-20211221-0001/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-alert@netapp.com",
"ID": "CVE-2021-27006",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "StorageGRID (formerly StorageGRID Webscale)",
"version": {
"version_data": [
{
"version_value": "Versions 11.5 prior to 11.5.0.5"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "StorageGRID (formerly StorageGRID Webscale) versions 11.5 prior to 11.5.0.5 are susceptible to a vulnerability which may allow an administrative user to escalate their privileges and modify settings in SANtricity System Manager."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Privilege Escalation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.netapp.com/advisory/ntap-20211221-0001/",
"refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20211221-0001/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"assignerShortName": "netapp",
"cveId": "CVE-2021-27006",
"datePublished": "2021-12-23T19:48:47",
"dateReserved": "2021-02-09T00:00:00",
"dateUpdated": "2024-08-03T20:40:47.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-15715
Vulnerability from cvelistv5
Published
2018-03-26 15:00
Modified
2024-09-17 02:21
Severity ?
EPSS score ?
Summary
In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache HTTP Server |
Version: 2.4.0 to 2.4.29 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:04:49.979Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "USN-3627-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3627-1/"
},
{
"name": "DSA-4164",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4164"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "RHSA-2018:3558",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3558"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "USN-3627-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3627-2/"
},
{
"name": "103525",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103525"
},
{
"name": "1040570",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040570"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "[oss-security] 20180323 CVE-2017-15715: \u003cFilesMatch\u003e bypass with a trailing newline in the file name",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/6"
},
{
"name": "RHSA-2019:0366",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.elarlang.eu/cve-2017-15715-apache-http-server-filesmatch-bypass-with-a-trailing-newline-at-the-end-of-the-file-name.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache HTTP Server",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.4.0 to 2.4.29"
}
]
}
],
"datePublic": "2018-03-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache httpd 2.4.0 to 2.4.29, the expression specified in \u003cFilesMatch\u003e could match \u0027$\u0027 to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "\u003cFilesMatch\u003e bypass with a trailing newline in the file name",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-06T10:10:49",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "USN-3627-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3627-1/"
},
{
"name": "DSA-4164",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4164"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "RHSA-2018:3558",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3558"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "USN-3627-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3627-2/"
},
{
"name": "103525",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103525"
},
{
"name": "1040570",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040570"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "[oss-security] 20180323 CVE-2017-15715: \u003cFilesMatch\u003e bypass with a trailing newline in the file name",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/6"
},
{
"name": "RHSA-2019:0366",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.elarlang.eu/cve-2017-15715-apache-http-server-filesmatch-bypass-with-a-trailing-newline-at-the-end-of-the-file-name.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-03-23T00:00:00",
"ID": "CVE-2017-15715",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
{
"version_value": "2.4.0 to 2.4.29"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache httpd 2.4.0 to 2.4.29, the expression specified in \u003cFilesMatch\u003e could match \u0027$\u0027 to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "\u003cFilesMatch\u003e bypass with a trailing newline in the file name"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "USN-3627-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3627-1/"
},
{
"name": "DSA-4164",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4164"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180601-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "RHSA-2018:3558",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3558"
},
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "USN-3627-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3627-2/"
},
{
"name": "103525",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103525"
},
{
"name": "1040570",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040570"
},
{
"name": "https://httpd.apache.org/security/vulnerabilities_24.html",
"refsource": "CONFIRM",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "[oss-security] 20180323 CVE-2017-15715: \u003cFilesMatch\u003e bypass with a trailing newline in the file name",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/6"
},
{
"name": "RHSA-2019:0366",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "https://security.elarlang.eu/cve-2017-15715-apache-http-server-filesmatch-bypass-with-a-trailing-newline-at-the-end-of-the-file-name.html",
"refsource": "MISC",
"url": "https://security.elarlang.eu/cve-2017-15715-apache-http-server-filesmatch-bypass-with-a-trailing-newline-at-the-end-of-the-file-name.html"
},
{
"name": "https://www.tenable.com/security/tns-2019-09",
"refsource": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-15715",
"datePublished": "2018-03-26T15:00:00Z",
"dateReserved": "2017-10-21T00:00:00",
"dateUpdated": "2024-09-17T02:21:04.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39275
Vulnerability from cvelistv5
Published
2021-09-16 14:40
Modified
2024-08-04 02:06
Severity ?
EPSS score ?
Summary
ap_escape_quotes buffer overflow
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache HTTP Server |
Version: Apache HTTP Server 2.4 < |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:06:42.326Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "FEDORA-2021-dce7e7738e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"
},
{
"name": "[httpd-users] 20210923 [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "FEDORA-2021-e3f6dd670d",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"
},
{
"name": "[debian-lts-announce] 20211002 [SECURITY] [DLA 2776-1] apache2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html"
},
{
"name": "DSA-4982",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"name": "20211124 Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211008-0004/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf"
},
{
"name": "GLSA-202208-20",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-20"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache HTTP Server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.4.48",
"status": "affected",
"version": "Apache HTTP Server 2.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ClusterFuzz"
}
],
"descriptions": [
{
"lang": "en",
"value": "ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Buffer Overflow",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-14T01:06:08",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "FEDORA-2021-dce7e7738e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"
},
{
"name": "[httpd-users] 20210923 [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "FEDORA-2021-e3f6dd670d",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"
},
{
"name": "[debian-lts-announce] 20211002 [SECURITY] [DLA 2776-1] apache2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html"
},
{
"name": "DSA-4982",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"name": "20211124 Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20211008-0004/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf"
},
{
"name": "GLSA-202208-20",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-20"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2021-09-16T00:00:00",
"value": "2.4.49 released"
}
],
"title": "ap_escape_quotes buffer overflow",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-39275",
"STATE": "PUBLIC",
"TITLE": "ap_escape_quotes buffer overflow"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache HTTP Server 2.4",
"version_value": "2.4.48"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "ClusterFuzz"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "low"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Buffer Overflow"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://httpd.apache.org/security/vulnerabilities_24.html",
"refsource": "MISC",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "FEDORA-2021-dce7e7738e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"
},
{
"name": "[httpd-users] 20210923 [users@httpd] 2.4.49 security fixes: more info",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] 2.4.49 security fixes: more info",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3Cusers.httpd.apache.org%3E"
},
{
"name": "FEDORA-2021-e3f6dd670d",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"
},
{
"name": "[debian-lts-announce] 20211002 [SECURITY] [DLA 2776-1] apache2 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html"
},
{
"name": "DSA-4982",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"name": "20211124 Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20211008-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20211008-0004/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf"
},
{
"name": "GLSA-202208-20",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-20"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2021-09-16T00:00:00",
"value": "2.4.49 released"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-39275",
"datePublished": "2021-09-16T14:40:22",
"dateReserved": "2021-08-18T00:00:00",
"dateUpdated": "2024-08-04T02:06:42.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23232
Vulnerability from cvelistv5
Published
2022-03-04 17:21
Modified
2024-08-03 03:36
Severity ?
EPSS score ?
Summary
StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could allow disabled, expired, or locked external user accounts to access S3 data to which they previously had access. StorageGRID 11.6.0 obtains the user account status from Active Directory or Azure and will block S3 access for disabled user accounts during the subsequent background synchronization. User accounts that are expired or locked for Active Directory or Azure, or user accounts that are disabled, expired, or locked in identity sources other than Active Directory or Azure must be manually removed from group memberships or have their S3 keys manually removed from Tenant Manager in all versions of StorageGRID (formerly StorageGRID Webscale).
References
| ▼ | URL | Tags |
|---|---|---|
| https://security.netapp.com/advisory/NTAP-20220303-0009/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | StorageGRID (formerly StorageGRID Webscale) |
Version: Prior to 11.6.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:36:20.370Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/NTAP-20220303-0009/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "StorageGRID (formerly StorageGRID Webscale)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Prior to 11.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could allow disabled, expired, or locked external user accounts to access S3 data to which they previously had access. StorageGRID 11.6.0 obtains the user account status from Active Directory or Azure and will block S3 access for disabled user accounts during the subsequent background synchronization. User accounts that are expired or locked for Active Directory or Azure, or user accounts that are disabled, expired, or locked in identity sources other than Active Directory or Azure must be manually removed from group memberships or have their S3 keys manually removed from Tenant Manager in all versions of StorageGRID (formerly StorageGRID Webscale)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Access Bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-04T17:21:50",
"orgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"shortName": "netapp"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.netapp.com/advisory/NTAP-20220303-0009/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-alert@netapp.com",
"ID": "CVE-2022-23232",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "StorageGRID (formerly StorageGRID Webscale)",
"version": {
"version_data": [
{
"version_value": "Prior to 11.6.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could allow disabled, expired, or locked external user accounts to access S3 data to which they previously had access. StorageGRID 11.6.0 obtains the user account status from Active Directory or Azure and will block S3 access for disabled user accounts during the subsequent background synchronization. User accounts that are expired or locked for Active Directory or Azure, or user accounts that are disabled, expired, or locked in identity sources other than Active Directory or Azure must be manually removed from group memberships or have their S3 keys manually removed from Tenant Manager in all versions of StorageGRID (formerly StorageGRID Webscale)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Access Bypass"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.netapp.com/advisory/NTAP-20220303-0009/",
"refsource": "MISC",
"url": "https://security.netapp.com/advisory/NTAP-20220303-0009/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"assignerShortName": "netapp",
"cveId": "CVE-2022-23232",
"datePublished": "2022-03-04T17:21:50",
"dateReserved": "2022-01-14T00:00:00",
"dateUpdated": "2024-08-03T03:36:20.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-8571
Vulnerability from cvelistv5
Published
2020-03-13 15:10
Modified
2024-08-04 10:03
Severity ?
EPSS score ?
Summary
StorageGRID (formerly StorageGRID Webscale) versions 10.0.0 through 11.3 prior to 11.2.0.8 and 11.3.0.4 are susceptible to a vulnerability which allows an unauthenticated remote attacker to cause a Denial of Service (DoS).
References
| ▼ | URL | Tags |
|---|---|---|
| https://security.netapp.com/advisory/ntap-20200313-0005/ | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | NetApp | StorageGRID (formerly StorageGRID Webscale) |
Version: Versions 10.0.0 through 11.3 prior to 11.2.0.8 and 11.3.0.4 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.377Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200313-0005/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "StorageGRID (formerly StorageGRID Webscale)",
"vendor": "NetApp",
"versions": [
{
"status": "affected",
"version": "Versions 10.0.0 through 11.3 prior to 11.2.0.8 and 11.3.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "StorageGRID (formerly StorageGRID Webscale) versions 10.0.0 through 11.3 prior to 11.2.0.8 and 11.3.0.4 are susceptible to a vulnerability which allows an unauthenticated remote attacker to cause a Denial of Service (DoS)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Privilege Escalation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-13T15:10:08",
"orgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"shortName": "netapp"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200313-0005/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-alert@netapp.com",
"ID": "CVE-2020-8571",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "StorageGRID (formerly StorageGRID Webscale)",
"version": {
"version_data": [
{
"version_value": "Versions 10.0.0 through 11.3 prior to 11.2.0.8 and 11.3.0.4"
}
]
}
}
]
},
"vendor_name": "NetApp"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "StorageGRID (formerly StorageGRID Webscale) versions 10.0.0 through 11.3 prior to 11.2.0.8 and 11.3.0.4 are susceptible to a vulnerability which allows an unauthenticated remote attacker to cause a Denial of Service (DoS)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Privilege Escalation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.netapp.com/advisory/ntap-20200313-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200313-0005/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"assignerShortName": "netapp",
"cveId": "CVE-2020-8571",
"datePublished": "2020-03-13T15:10:08",
"dateReserved": "2020-02-03T00:00:00",
"dateUpdated": "2024-08-04T10:03:46.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-15710
Vulnerability from cvelistv5
Published
2018-03-26 15:00
Modified
2024-09-17 03:37
Severity ?
EPSS score ?
Summary
In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache HTTP Server |
Version: 2.0.23 to 2.0.65 Version: 2.2.0 to 2.2.34 Version: 2.4.0 to 2.4.29 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:04:49.437Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "USN-3627-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3627-1/"
},
{
"name": "103512",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103512"
},
{
"name": "DSA-4164",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4164"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "RHSA-2018:3558",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3558"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "USN-3627-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3627-2/"
},
{
"name": "[oss-security] 20180323 CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/8"
},
{
"name": "1040569",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040569"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "[debian-lts-announce] 20180530 [SECURITY] [DLA 1389-1] apache2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/05/msg00020.html"
},
{
"name": "RHSA-2019:0366",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "USN-3937-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3937-2/"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache HTTP Server",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.0.23 to 2.0.65"
},
{
"status": "affected",
"version": "2.2.0 to 2.2.34"
},
{
"status": "affected",
"version": "2.4.0 to 2.4.29"
}
]
}
],
"datePublic": "2018-03-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user\u0027s credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, \u0027en-US\u0027 is truncated to \u0027en\u0027). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Out of bound write in mod_authnz_ldap when using too small Accept-Language values.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-06T10:11:28",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "USN-3627-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3627-1/"
},
{
"name": "103512",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103512"
},
{
"name": "DSA-4164",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4164"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "RHSA-2018:3558",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3558"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "USN-3627-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3627-2/"
},
{
"name": "[oss-security] 20180323 CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/8"
},
{
"name": "1040569",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040569"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "[debian-lts-announce] 20180530 [SECURITY] [DLA 1389-1] apache2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/05/msg00020.html"
},
{
"name": "RHSA-2019:0366",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "USN-3937-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3937-2/"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-03-23T00:00:00",
"ID": "CVE-2017-15710",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
{
"version_value": "2.0.23 to 2.0.65"
},
{
"version_value": "2.2.0 to 2.2.34"
},
{
"version_value": "2.4.0 to 2.4.29"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user\u0027s credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, \u0027en-US\u0027 is truncated to \u0027en\u0027). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Out of bound write in mod_authnz_ldap when using too small Accept-Language values."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "USN-3627-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3627-1/"
},
{
"name": "103512",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103512"
},
{
"name": "DSA-4164",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4164"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180601-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "RHSA-2018:3558",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3558"
},
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "USN-3627-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3627-2/"
},
{
"name": "[oss-security] 20180323 CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/8"
},
{
"name": "1040569",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040569"
},
{
"name": "https://httpd.apache.org/security/vulnerabilities_24.html",
"refsource": "CONFIRM",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "[debian-lts-announce] 20180530 [SECURITY] [DLA 1389-1] apache2 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/05/msg00020.html"
},
{
"name": "RHSA-2019:0366",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "USN-3937-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3937-2/"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "https://www.tenable.com/security/tns-2019-09",
"refsource": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-15710",
"datePublished": "2018-03-26T15:00:00Z",
"dateReserved": "2017-10-21T00:00:00",
"dateUpdated": "2024-09-17T03:37:24.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-3450
Vulnerability from cvelistv5
Published
2021-03-25 14:25
Modified
2024-09-17 03:07
Severity ?
EPSS score ?
Summary
CA certificate check bypass with X509_V_FLAG_X509_STRICT
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:53:17.644Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openssl.org/news/secadv/20210325.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b"
},
{
"name": "20210325 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd"
},
{
"name": "[oss-security] 20210327 OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/27/1"
},
{
"name": "[oss-security] 20210327 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/27/2"
},
{
"name": "[oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/28/3"
},
{
"name": "[oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/28/4"
},
{
"name": "GLSA-202103-03",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202103-03"
},
{
"name": "FEDORA-2021-cbf14ab8f9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2021-09"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210326-0006/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2021-05"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10356"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2021-08"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"status": "affected",
"version": "Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j)"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Benjamin Kaduk (Akamai), Xiang Ding (Akamai), others at Akamai"
}
],
"datePublic": "2021-03-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j)."
}
],
"metrics": [
{
"other": {
"content": {
"lang": "eng",
"url": "https://www.openssl.org/policies/secpolicy.html#High",
"value": "High"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Invalid Certificate Verification",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:35:11",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openssl.org/news/secadv/20210325.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b"
},
{
"name": "20210325 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd"
},
{
"name": "[oss-security] 20210327 OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/27/1"
},
{
"name": "[oss-security] 20210327 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/27/2"
},
{
"name": "[oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/28/3"
},
{
"name": "[oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/28/4"
},
{
"name": "GLSA-202103-03",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202103-03"
},
{
"name": "FEDORA-2021-cbf14ab8f9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.tenable.com/security/tns-2021-09"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210326-0006/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.tenable.com/security/tns-2021-05"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10356"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.tenable.com/security/tns-2021-08"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CA certificate check bypass with X509_V_FLAG_X509_STRICT",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "openssl-security@openssl.org",
"DATE_PUBLIC": "2021-03-25",
"ID": "CVE-2021-3450",
"STATE": "PUBLIC",
"TITLE": "CA certificate check bypass with X509_V_FLAG_X509_STRICT"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenSSL",
"version": {
"version_data": [
{
"version_value": "Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j)"
}
]
}
}
]
},
"vendor_name": "OpenSSL"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Benjamin Kaduk (Akamai), Xiang Ding (Akamai), others at Akamai"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j)."
}
]
},
"impact": [
{
"lang": "eng",
"url": "https://www.openssl.org/policies/secpolicy.html#High",
"value": "High"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Invalid Certificate Verification"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openssl.org/news/secadv/20210325.txt",
"refsource": "CONFIRM",
"url": "https://www.openssl.org/news/secadv/20210325.txt"
},
{
"name": "https://www.openssl.org/news/secadv/20210325.txt",
"refsource": "CONFIRM",
"url": "https://www.openssl.org/news/secadv/20210325.txt"
},
{
"name": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b",
"refsource": "CONFIRM",
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b"
},
{
"name": "20210325 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd"
},
{
"name": "[oss-security] 20210327 OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/03/27/1"
},
{
"name": "[oss-security] 20210327 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/03/27/2"
},
{
"name": "[oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/03/28/3"
},
{
"name": "[oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/03/28/4"
},
{
"name": "GLSA-202103-03",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202103-03"
},
{
"name": "FEDORA-2021-cbf14ab8f9",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://www.tenable.com/security/tns-2021-09",
"refsource": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2021-09"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210326-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210326-0006/"
},
{
"name": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc",
"refsource": "MISC",
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc"
},
{
"name": "https://www.tenable.com/security/tns-2021-05",
"refsource": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2021-05"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10356",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10356"
},
{
"name": "https://www.tenable.com/security/tns-2021-08",
"refsource": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2021-08"
},
{
"name": "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html",
"refsource": "MISC",
"url": "https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845",
"refsource": "CONFIRM",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845"
},
{
"name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013",
"refsource": "CONFIRM",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2021-3450",
"datePublished": "2021-03-25T14:25:14.287899Z",
"dateReserved": "2021-03-19T00:00:00",
"dateUpdated": "2024-09-17T03:07:10.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-3115
Vulnerability from cvelistv5
Published
2021-01-26 02:14
Modified
2024-08-03 16:45
Severity ?
EPSS score ?
Summary
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
References
| ▼ | URL | Tags |
|---|---|---|
| https://groups.google.com/g/golang-announce/c/mperVMGa98w | x_refsource_CONFIRM | |
| https://blog.golang.org/path-security | x_refsource_CONFIRM | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/ | vendor-advisory, x_refsource_FEDORA | |
| https://security.netapp.com/advisory/ntap-20210219-0001/ | x_refsource_CONFIRM | |
| https://security.gentoo.org/glsa/202208-02 | vendor-advisory, x_refsource_GENTOO |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:45:51.223Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/mperVMGa98w"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.golang.org/path-security"
},
{
"name": "FEDORA-2021-e435a8bb88",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210219-0001/"
},
{
"name": "GLSA-202208-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the \"go get\" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T15:09:52",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://groups.google.com/g/golang-announce/c/mperVMGa98w"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.golang.org/path-security"
},
{
"name": "FEDORA-2021-e435a8bb88",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210219-0001/"
},
{
"name": "GLSA-202208-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-3115",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the \"go get\" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/golang-announce/c/mperVMGa98w",
"refsource": "CONFIRM",
"url": "https://groups.google.com/g/golang-announce/c/mperVMGa98w"
},
{
"name": "https://blog.golang.org/path-security",
"refsource": "CONFIRM",
"url": "https://blog.golang.org/path-security"
},
{
"name": "FEDORA-2021-e435a8bb88",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210219-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210219-0001/"
},
{
"name": "GLSA-202208-02",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-3115",
"datePublished": "2021-01-26T02:14:51",
"dateReserved": "2021-01-11T00:00:00",
"dateUpdated": "2024-08-03T16:45:51.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14556
Vulnerability from cvelistv5
Published
2020-07-15 17:34
Modified
2024-09-27 18:41
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 8u251, 11.0.7, 14.0.1 Version: Java SE Embedded: 8u251 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.700Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "FEDORA-2020-5d0b4a2b5b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/"
},
{
"name": "USN-4433-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4433-1/"
},
{
"name": "DSA-4734",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "FEDORA-2020-93cc9c3ef2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/"
},
{
"name": "openSUSE-SU-2020:1175",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1191",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "GLSA-202008-24",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202008-24"
},
{
"name": "openSUSE-SU-2020:1893",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-14556",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T17:59:18.810625Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T18:41:03.969Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 8u251, 11.0.7, 14.0.1"
},
{
"status": "affected",
"version": "Java SE Embedded: 8u251"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-25T15:06:26",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "FEDORA-2020-5d0b4a2b5b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/"
},
{
"name": "USN-4433-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4433-1/"
},
{
"name": "DSA-4734",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "FEDORA-2020-93cc9c3ef2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/"
},
{
"name": "openSUSE-SU-2020:1175",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1191",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "GLSA-202008-24",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202008-24"
},
{
"name": "openSUSE-SU-2020:1893",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-14556",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 8u251, 11.0.7, 14.0.1"
},
{
"version_affected": "=",
"version_value": "Java SE Embedded: 8u251"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)."
}
]
},
"impact": {
"cvss": {
"baseScore": "4.8",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200717-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "FEDORA-2020-5d0b4a2b5b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/"
},
{
"name": "USN-4433-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4433-1/"
},
{
"name": "DSA-4734",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "FEDORA-2020-93cc9c3ef2",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/"
},
{
"name": "openSUSE-SU-2020:1175",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1191",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "GLSA-202008-24",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202008-24"
},
{
"name": "openSUSE-SU-2020:1893",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202209-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-14556",
"datePublished": "2020-07-15T17:34:27",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-09-27T18:41:03.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-40438
Vulnerability from cvelistv5
Published
2021-09-16 14:40
Modified
2024-08-04 02:44
Severity ?
EPSS score ?
Summary
mod_proxy SSRF
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache HTTP Server |
Version: Apache HTTP Server 2.4 < |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:44:10.131Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "FEDORA-2021-dce7e7738e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"
},
{
"name": "[httpd-users] 20210923 [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "FEDORA-2021-e3f6dd670d",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"
},
{
"name": "[debian-lts-announce] 20211002 [SECURITY] [DLA 2776-1] apache2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html"
},
{
"name": "[httpd-bugs] 20211008 [Bug 65616] CVE-2021-36160 regression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3Cbugs.httpd.apache.org%3E"
},
{
"name": "DSA-4982",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"name": "[httpd-users] 20211019 [users@httpd] Regarding CVE-2021-40438",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20211019 Re: [users@httpd] Regarding CVE-2021-40438",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "20211124 Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2021-17"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211008-0004/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf"
},
{
"name": "GLSA-202208-20",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-20"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache HTTP Server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.4.48",
"status": "affected",
"version": "Apache HTTP Server 2.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "The issue was discovered by the Apache HTTP security team while analysing CVE-2021-36160"
}
],
"descriptions": [
{
"lang": "en",
"value": "A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier."
}
],
"metrics": [
{
"other": {
"content": {
"other": "high"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-14T01:07:57",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "FEDORA-2021-dce7e7738e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"
},
{
"name": "[httpd-users] 20210923 [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "FEDORA-2021-e3f6dd670d",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"
},
{
"name": "[debian-lts-announce] 20211002 [SECURITY] [DLA 2776-1] apache2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html"
},
{
"name": "[httpd-bugs] 20211008 [Bug 65616] CVE-2021-36160 regression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3Cbugs.httpd.apache.org%3E"
},
{
"name": "DSA-4982",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"name": "[httpd-users] 20211019 [users@httpd] Regarding CVE-2021-40438",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20211019 Re: [users@httpd] Regarding CVE-2021-40438",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "20211124 Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.tenable.com/security/tns-2021-17"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20211008-0004/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf"
},
{
"name": "GLSA-202208-20",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-20"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2021-09-16T00:00:00",
"value": "2.4.49 released"
}
],
"title": "mod_proxy SSRF",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-40438",
"STATE": "PUBLIC",
"TITLE": "mod_proxy SSRF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache HTTP Server 2.4",
"version_value": "2.4.48"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "The issue was discovered by the Apache HTTP security team while analysing CVE-2021-36160"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://httpd.apache.org/security/vulnerabilities_24.html",
"refsource": "MISC",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "FEDORA-2021-dce7e7738e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"
},
{
"name": "[httpd-users] 20210923 [users@httpd] 2.4.49 security fixes: more info",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] 2.4.49 security fixes: more info",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3Cusers.httpd.apache.org%3E"
},
{
"name": "FEDORA-2021-e3f6dd670d",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"
},
{
"name": "[debian-lts-announce] 20211002 [SECURITY] [DLA 2776-1] apache2 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html"
},
{
"name": "[httpd-bugs] 20211008 [Bug 65616] CVE-2021-36160 regression",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37@%3Cbugs.httpd.apache.org%3E"
},
{
"name": "DSA-4982",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"name": "[httpd-users] 20211019 [users@httpd] Regarding CVE-2021-40438",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a@%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20211019 Re: [users@httpd] Regarding CVE-2021-40438",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00@%3Cusers.httpd.apache.org%3E"
},
{
"name": "20211124 Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.tenable.com/security/tns-2021-17",
"refsource": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2021-17"
},
{
"name": "https://security.netapp.com/advisory/ntap-20211008-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20211008-0004/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf"
},
{
"name": "GLSA-202208-20",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-20"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2021-09-16T00:00:00",
"value": "2.4.49 released"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-40438",
"datePublished": "2021-09-16T14:40:23",
"dateReserved": "2021-09-02T00:00:00",
"dateUpdated": "2024-08-04T02:44:10.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-34558
Vulnerability from cvelistv5
Published
2021-07-15 13:47
Modified
2024-08-04 00:12
Severity ?
EPSS score ?
Summary
The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:12:50.360Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://golang.org/doc/devel/release#go1.16.minor"
},
{
"name": "FEDORA-2021-25c0011e78",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D7FRFM7WWR2JCT6NORQ7AO6B453OMI3I/"
},
{
"name": "FEDORA-2021-1bfb61f77c",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BA7MFVXRBEKRTLSLYDICTYCGEMK2HZ7/"
},
{
"name": "FEDORA-2021-3a55403080",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JYIUSR4YP52PWG7YE7AA3DZ5OSURNFJB/"
},
{
"name": "FEDORA-2021-47d259d3cf",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXJ2MVMAHOIGRH37ZSFYC4EVWLJFL2EQ/"
},
{
"name": "FEDORA-2021-6ac9b98f9e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBMLUQMN6XRKPVOI5XFFBP4XSR7RNTYR/"
},
{
"name": "FEDORA-2021-07e4d20196",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XBQUFVI5TMV4KMKI7GKA223LHGPQISE/"
},
{
"name": "FEDORA-2021-ffa749f7f7",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BTC3JQUASFN5U2XA4UZIGAPZQBD5JSS/"
},
{
"name": "FEDORA-2021-54f88bebd4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITRXPCHUCJGXCX2CUEPKZRRTB27GG4ZB/"
},
{
"name": "FEDORA-2021-c35235c250",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLOGBB7XBBRB3J5FDPW5KWHSH7IRF64W/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/n9FxMelZGAQ"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210813-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "GLSA-202208-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T15:10:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/golang-announce"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://golang.org/doc/devel/release#go1.16.minor"
},
{
"name": "FEDORA-2021-25c0011e78",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D7FRFM7WWR2JCT6NORQ7AO6B453OMI3I/"
},
{
"name": "FEDORA-2021-1bfb61f77c",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BA7MFVXRBEKRTLSLYDICTYCGEMK2HZ7/"
},
{
"name": "FEDORA-2021-3a55403080",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JYIUSR4YP52PWG7YE7AA3DZ5OSURNFJB/"
},
{
"name": "FEDORA-2021-47d259d3cf",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXJ2MVMAHOIGRH37ZSFYC4EVWLJFL2EQ/"
},
{
"name": "FEDORA-2021-6ac9b98f9e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBMLUQMN6XRKPVOI5XFFBP4XSR7RNTYR/"
},
{
"name": "FEDORA-2021-07e4d20196",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3XBQUFVI5TMV4KMKI7GKA223LHGPQISE/"
},
{
"name": "FEDORA-2021-ffa749f7f7",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6BTC3JQUASFN5U2XA4UZIGAPZQBD5JSS/"
},
{
"name": "FEDORA-2021-54f88bebd4",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITRXPCHUCJGXCX2CUEPKZRRTB27GG4ZB/"
},
{
"name": "FEDORA-2021-c35235c250",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLOGBB7XBBRB3J5FDPW5KWHSH7IRF64W/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/golang-announce/c/n9FxMelZGAQ"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210813-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "GLSA-202208-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-34558",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/golang-announce",
"refsource": "MISC",
"url": "https://groups.google.com/g/golang-announce"
},
{
"name": "https://golang.org/doc/devel/release#go1.16.minor",
"refsource": "MISC",
"url": "https://golang.org/doc/devel/release#go1.16.minor"
},
{
"name": "FEDORA-2021-25c0011e78",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D7FRFM7WWR2JCT6NORQ7AO6B453OMI3I/"
},
{
"name": "FEDORA-2021-1bfb61f77c",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3BA7MFVXRBEKRTLSLYDICTYCGEMK2HZ7/"
},
{
"name": "FEDORA-2021-3a55403080",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JYIUSR4YP52PWG7YE7AA3DZ5OSURNFJB/"
},
{
"name": "FEDORA-2021-47d259d3cf",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WXJ2MVMAHOIGRH37ZSFYC4EVWLJFL2EQ/"
},
{
"name": "FEDORA-2021-6ac9b98f9e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBMLUQMN6XRKPVOI5XFFBP4XSR7RNTYR/"
},
{
"name": "FEDORA-2021-07e4d20196",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3XBQUFVI5TMV4KMKI7GKA223LHGPQISE/"
},
{
"name": "FEDORA-2021-ffa749f7f7",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BTC3JQUASFN5U2XA4UZIGAPZQBD5JSS/"
},
{
"name": "FEDORA-2021-54f88bebd4",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITRXPCHUCJGXCX2CUEPKZRRTB27GG4ZB/"
},
{
"name": "FEDORA-2021-c35235c250",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NLOGBB7XBBRB3J5FDPW5KWHSH7IRF64W/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://groups.google.com/g/golang-announce/c/n9FxMelZGAQ",
"refsource": "MISC",
"url": "https://groups.google.com/g/golang-announce/c/n9FxMelZGAQ"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210813-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210813-0005/"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "GLSA-202208-02",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-34558",
"datePublished": "2021-07-15T13:47:36",
"dateReserved": "2021-06-10T00:00:00",
"dateUpdated": "2024-08-04T00:12:50.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14577
Vulnerability from cvelistv5
Published
2020-07-15 17:34
Modified
2024-09-27 18:38
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 7u261, 8u251, 11.0.7, 14.0.1 Version: Java SE Embedded: 8u251 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.986Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "FEDORA-2020-5d0b4a2b5b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/"
},
{
"name": "USN-4433-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4433-1/"
},
{
"name": "DSA-4734",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "FEDORA-2020-93cc9c3ef2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/"
},
{
"name": "openSUSE-SU-2020:1175",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1191",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "openSUSE-SU-2020:1893",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-14577",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T17:58:56.789755Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T18:38:12.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 7u261, 8u251, 11.0.7, 14.0.1"
},
{
"status": "affected",
"version": "Java SE Embedded: 8u251"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-25T15:06:41",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "FEDORA-2020-5d0b4a2b5b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/"
},
{
"name": "USN-4433-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4433-1/"
},
{
"name": "DSA-4734",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "FEDORA-2020-93cc9c3ef2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/"
},
{
"name": "openSUSE-SU-2020:1175",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1191",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "openSUSE-SU-2020:1893",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-14577",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 7u261, 8u251, 11.0.7, 14.0.1"
},
{
"version_affected": "=",
"version_value": "Java SE Embedded: 8u251"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)."
}
]
},
"impact": {
"cvss": {
"baseScore": "3.7",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200717-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "FEDORA-2020-5d0b4a2b5b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/"
},
{
"name": "USN-4433-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4433-1/"
},
{
"name": "DSA-4734",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "FEDORA-2020-93cc9c3ef2",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/"
},
{
"name": "openSUSE-SU-2020:1175",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1191",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "openSUSE-SU-2020:1893",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202209-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-14577",
"datePublished": "2020-07-15T17:34:28",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-09-27T18:38:12.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-2773
Vulnerability from cvelistv5
Published
2020-04-15 13:29
Modified
2024-09-30 15:39
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 7u251, 8u241, 11.0.6, 14 Version: Java SE Embedded: 8u241 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:17:02.372Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-2773",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T14:59:40.704407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:39:10.475Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 7u251, 8u241, 11.0.6, 14"
},
{
"status": "affected",
"version": "Java SE Embedded: 8u241"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-25T15:06:54",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-2773",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 7u251, 8u241, 11.0.6, 14"
},
{
"version_affected": "=",
"version_value": "Java SE Embedded: 8u241"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
]
},
"impact": {
"cvss": {
"baseScore": "3.7",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200416-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "GLSA-202209-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202209-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-2773",
"datePublished": "2020-04-15T13:29:45",
"dateReserved": "2019-12-10T00:00:00",
"dateUpdated": "2024-09-30T15:39:10.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23238
Vulnerability from cvelistv5
Published
2022-08-09 20:18
Modified
2024-08-03 03:36
Severity ?
EPSS score ?
Summary
Linux deployments of StorageGRID (formerly StorageGRID Webscale) versions 11.6.0 through 11.6.0.2 deployed with a Linux kernel version less than 4.7.0 are susceptible to a vulnerability which could allow a remote unauthenticated attacker to view limited metrics information and modify alert email recipients and content.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security.netapp.com/advisory/NTAP-20220808-0001/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | StorageGRID (formerly StorageGRID Webscale) |
Version: 11.6.0 through 11.6.0.2 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:36:20.162Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/NTAP-20220808-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "StorageGRID (formerly StorageGRID Webscale)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "11.6.0 through 11.6.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Linux deployments of StorageGRID (formerly StorageGRID Webscale) versions 11.6.0 through 11.6.0.2 deployed with a Linux kernel version less than 4.7.0 are susceptible to a vulnerability which could allow a remote unauthenticated attacker to view limited metrics information and modify alert email recipients and content."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-09T20:18:39",
"orgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"shortName": "netapp"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.netapp.com/advisory/NTAP-20220808-0001/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-alert@netapp.com",
"ID": "CVE-2022-23238",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "StorageGRID (formerly StorageGRID Webscale)",
"version": {
"version_data": [
{
"version_value": "11.6.0 through 11.6.0.2"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Linux deployments of StorageGRID (formerly StorageGRID Webscale) versions 11.6.0 through 11.6.0.2 deployed with a Linux kernel version less than 4.7.0 are susceptible to a vulnerability which could allow a remote unauthenticated attacker to view limited metrics information and modify alert email recipients and content."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.netapp.com/advisory/NTAP-20220808-0001/",
"refsource": "MISC",
"url": "https://security.netapp.com/advisory/NTAP-20220808-0001/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"assignerShortName": "netapp",
"cveId": "CVE-2022-23238",
"datePublished": "2022-08-09T20:18:39",
"dateReserved": "2022-01-14T00:00:00",
"dateUpdated": "2024-08-03T03:36:20.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-1301
Vulnerability from cvelistv5
Published
2018-03-26 15:00
Modified
2024-09-16 17:22
Severity ?
EPSS score ?
Summary
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache HTTP Server |
Version: 2.2.0 to 2.4.29 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.954Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "USN-3627-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3627-1/"
},
{
"name": "103515",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103515"
},
{
"name": "[oss-security] 20180323 CVE-2018-1301: Possible out of bound access after failure in reading the HTTP request",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/2"
},
{
"name": "DSA-4164",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4164"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "RHSA-2018:3558",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3558"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "USN-3627-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3627-2/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "[debian-lts-announce] 20180530 [SECURITY] [DLA 1389-1] apache2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/05/msg00020.html"
},
{
"name": "RHSA-2019:0366",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "1040573",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040573"
},
{
"name": "USN-3937-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3937-2/"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [11/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache HTTP Server",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.2.0 to 2.4.29"
}
]
}
],
"datePublic": "2018-03-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Possible out of bound access after failure in reading the HTTP request",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-06T10:11:15",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "USN-3627-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3627-1/"
},
{
"name": "103515",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103515"
},
{
"name": "[oss-security] 20180323 CVE-2018-1301: Possible out of bound access after failure in reading the HTTP request",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/2"
},
{
"name": "DSA-4164",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4164"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "RHSA-2018:3558",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3558"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "USN-3627-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3627-2/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "[debian-lts-announce] 20180530 [SECURITY] [DLA 1389-1] apache2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/05/msg00020.html"
},
{
"name": "RHSA-2019:0366",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "1040573",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040573"
},
{
"name": "USN-3937-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3937-2/"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [11/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-03-23T00:00:00",
"ID": "CVE-2018-1301",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
{
"version_value": "2.2.0 to 2.4.29"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Possible out of bound access after failure in reading the HTTP request"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "USN-3627-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3627-1/"
},
{
"name": "103515",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103515"
},
{
"name": "[oss-security] 20180323 CVE-2018-1301: Possible out of bound access after failure in reading the HTTP request",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/2"
},
{
"name": "DSA-4164",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4164"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180601-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "RHSA-2018:3558",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3558"
},
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "USN-3627-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3627-2/"
},
{
"name": "https://httpd.apache.org/security/vulnerabilities_24.html",
"refsource": "CONFIRM",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "[debian-lts-announce] 20180530 [SECURITY] [DLA 1389-1] apache2 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/05/msg00020.html"
},
{
"name": "RHSA-2019:0366",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "1040573",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040573"
},
{
"name": "USN-3937-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3937-2/"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "https://www.tenable.com/security/tns-2019-09",
"refsource": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [11/13] - /httpd/site/trunk/content/security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1301",
"datePublished": "2018-03-26T15:00:00Z",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-09-16T17:22:56.161Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14593
Vulnerability from cvelistv5
Published
2020-07-15 17:34
Modified
2024-09-27 18:35
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 7u261, 8u251, 11.0.7, 14.0.1 Version: Java SE Embedded: 8u251 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:53:42.576Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "FEDORA-2020-5d0b4a2b5b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/"
},
{
"name": "USN-4433-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4433-1/"
},
{
"name": "DSA-4734",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "FEDORA-2020-93cc9c3ef2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/"
},
{
"name": "openSUSE-SU-2020:1175",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1191",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "GLSA-202008-24",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202008-24"
},
{
"name": "openSUSE-SU-2020:1893",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-14593",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T17:58:35.278922Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T18:35:33.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 7u261, 8u251, 11.0.7, 14.0.1"
},
{
"status": "affected",
"version": "Java SE Embedded: 8u251"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-25T15:06:43",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "FEDORA-2020-5d0b4a2b5b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/"
},
{
"name": "USN-4433-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4433-1/"
},
{
"name": "DSA-4734",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "FEDORA-2020-93cc9c3ef2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/"
},
{
"name": "openSUSE-SU-2020:1175",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1191",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "GLSA-202008-24",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202008-24"
},
{
"name": "openSUSE-SU-2020:1893",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-14593",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 7u261, 8u251, 11.0.7, 14.0.1"
},
{
"version_affected": "=",
"version_value": "Java SE Embedded: 8u251"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)."
}
]
},
"impact": {
"cvss": {
"baseScore": "7.4",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200717-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "FEDORA-2020-5d0b4a2b5b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/"
},
{
"name": "USN-4433-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4433-1/"
},
{
"name": "DSA-4734",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "FEDORA-2020-93cc9c3ef2",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/"
},
{
"name": "openSUSE-SU-2020:1175",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1191",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "GLSA-202008-24",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202008-24"
},
{
"name": "openSUSE-SU-2020:1893",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202209-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-14593",
"datePublished": "2020-07-15T17:34:29",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-09-27T18:35:33.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1678
Vulnerability from cvelistv5
Published
2022-05-25 14:49
Modified
2024-08-03 00:10
Severity ?
EPSS score ?
Summary
An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP pacing can lead to memory/netns leak, which can be used by remote clients.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.openanolis.cn/show_bug.cgi?id=61 | x_refsource_CONFIRM | |
| https://lore.kernel.org/all/20200602080425.93712-1-kerneljasonxing%40gmail.com/ | x_refsource_MISC | |
| https://github.com/torvalds/linux/commit/0a70f118475e037732557796accd0878a00fc25a | x_refsource_MISC | |
| https://gitee.com/anolis/cloud-kernel/commit/bed537da691b | x_refsource_MISC | |
| https://anas.openanolis.cn/cves/detail/CVE-2022-1678 | x_refsource_MISC | |
| https://anas.openanolis.cn/errata/detail/ANSA-2022:0143 | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20220715-0001/ | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=61"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lore.kernel.org/all/20200602080425.93712-1-kerneljasonxing%40gmail.com/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/torvalds/linux/commit/0a70f118475e037732557796accd0878a00fc25a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gitee.com/anolis/cloud-kernel/commit/bed537da691b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://anas.openanolis.cn/cves/detail/CVE-2022-1678"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://anas.openanolis.cn/errata/detail/ANSA-2022:0143"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220715-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kernel",
"vendor": "n/a",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "4.18",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.19",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP pacing can lead to memory/netns leak, which can be used by remote clients."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-911",
"description": "CWE-911 Improper Update of Reference Count",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-15T15:06:58",
"orgId": "cb8f1db9-b4b1-487b-a760-f65c4f368d8e",
"shortName": "Anolis"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=61"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lore.kernel.org/all/20200602080425.93712-1-kerneljasonxing%40gmail.com/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/torvalds/linux/commit/0a70f118475e037732557796accd0878a00fc25a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gitee.com/anolis/cloud-kernel/commit/bed537da691b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://anas.openanolis.cn/cves/detail/CVE-2022-1678"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://anas.openanolis.cn/errata/detail/ANSA-2022:0143"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220715-0001/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@openanolis.org",
"ID": "CVE-2022-1678",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "kernel",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "4.18"
},
{
"version_affected": "\u003c=",
"version_value": "4.19"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the Linux Kernel from 4.18 to 4.19, an improper update of sock reference in TCP pacing can lead to memory/netns leak, which can be used by remote clients."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-911 Improper Update of Reference Count"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.openanolis.cn/show_bug.cgi?id=61",
"refsource": "CONFIRM",
"url": "https://bugzilla.openanolis.cn/show_bug.cgi?id=61"
},
{
"name": "https://lore.kernel.org/all/20200602080425.93712-1-kerneljasonxing@gmail.com/",
"refsource": "MISC",
"url": "https://lore.kernel.org/all/20200602080425.93712-1-kerneljasonxing@gmail.com/"
},
{
"name": "https://github.com/torvalds/linux/commit/0a70f118475e037732557796accd0878a00fc25a",
"refsource": "MISC",
"url": "https://github.com/torvalds/linux/commit/0a70f118475e037732557796accd0878a00fc25a"
},
{
"name": "https://gitee.com/anolis/cloud-kernel/commit/bed537da691b",
"refsource": "MISC",
"url": "https://gitee.com/anolis/cloud-kernel/commit/bed537da691b"
},
{
"name": "https://anas.openanolis.cn/cves/detail/CVE-2022-1678",
"refsource": "MISC",
"url": "https://anas.openanolis.cn/cves/detail/CVE-2022-1678"
},
{
"name": "https://anas.openanolis.cn/errata/detail/ANSA-2022:0143",
"refsource": "MISC",
"url": "https://anas.openanolis.cn/errata/detail/ANSA-2022:0143"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220715-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220715-0001/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cb8f1db9-b4b1-487b-a760-f65c4f368d8e",
"assignerShortName": "Anolis",
"cveId": "CVE-2022-1678",
"datePublished": "2022-05-25T14:49:30",
"dateReserved": "2022-05-12T00:00:00",
"dateUpdated": "2024-08-03T00:10:03.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-38734
Vulnerability from cvelistv5
Published
2023-03-02 00:00
Modified
2024-08-03 11:02
Severity ?
EPSS score ?
Summary
StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0.8 are susceptible to a Denial of Service (DoS) vulnerability. A successful exploit could lead to to a crash of the Local Distribution Router (LDR) service.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | Denial of Service Vulnerability in StorageGRID (formerly StorageGRID Webscale) |
Version: prior to 11.6.0.8 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T11:02:14.571Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230228-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Denial of Service Vulnerability in StorageGRID (formerly StorageGRID Webscale)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "prior to 11.6.0.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0.8 are susceptible to a Denial of Service (DoS) vulnerability. A successful exploit could lead to to a crash of the Local Distribution Router (LDR) service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-02T00:00:00",
"orgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"shortName": "netapp"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20230228-0001/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"assignerShortName": "netapp",
"cveId": "CVE-2022-38734",
"datePublished": "2023-03-02T00:00:00",
"dateReserved": "2022-08-24T00:00:00",
"dateUpdated": "2024-08-03T11:02:14.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-2830
Vulnerability from cvelistv5
Published
2020-04-15 13:29
Modified
2024-09-27 19:06
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 7u251, 8u241, 11.0.6, 14 Version: Java SE Embedded: 8u241 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:17:02.823Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10318"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-2830",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T17:53:52.379987Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T19:06:46.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 7u251, 8u241, 11.0.6, 14"
},
{
"status": "affected",
"version": "Java SE Embedded: 8u241"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-09T07:06:10",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10318"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-2830",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 7u251, 8u241, 11.0.6, 14"
},
{
"version_affected": "=",
"version_value": "Java SE Embedded: 8u241"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
]
},
"impact": {
"cvss": {
"baseScore": "5.3",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200416-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10318",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10318"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-2830",
"datePublished": "2020-04-15T13:29:48",
"dateReserved": "2019-12-10T00:00:00",
"dateUpdated": "2024-09-27T19:06:46.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-1302
Vulnerability from cvelistv5
Published
2018-03-26 15:00
Modified
2024-09-17 02:41
Severity ?
EPSS score ?
Summary
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache HTTP Server |
Version: 2.4.17 to 2.4.29 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.835Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "[oss-security] 20180323 CVE-2018-1302: Possible write of after free on HTTP/2 stream shutdown",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/5"
},
{
"name": "103528",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103528"
},
{
"name": "1040567",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040567"
},
{
"name": "USN-3783-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3783-1/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "RHSA-2019:0366",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [11/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache HTTP Server",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.4.17 to 2.4.29"
}
]
}
],
"datePublic": "2018-03-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Possible write of after free on HTTP/2 stream shutdown",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-06T10:10:53",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "[oss-security] 20180323 CVE-2018-1302: Possible write of after free on HTTP/2 stream shutdown",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/5"
},
{
"name": "103528",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103528"
},
{
"name": "1040567",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040567"
},
{
"name": "USN-3783-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3783-1/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "RHSA-2019:0366",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [11/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-03-23T00:00:00",
"ID": "CVE-2018-1302",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
{
"version_value": "2.4.17 to 2.4.29"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Possible write of after free on HTTP/2 stream shutdown"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.netapp.com/advisory/ntap-20180601-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "[oss-security] 20180323 CVE-2018-1302: Possible write of after free on HTTP/2 stream shutdown",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/5"
},
{
"name": "103528",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103528"
},
{
"name": "1040567",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040567"
},
{
"name": "USN-3783-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3783-1/"
},
{
"name": "https://httpd.apache.org/security/vulnerabilities_24.html",
"refsource": "CONFIRM",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "RHSA-2019:0366",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "https://www.tenable.com/security/tns-2019-09",
"refsource": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [11/13] - /httpd/site/trunk/content/security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1302",
"datePublished": "2018-03-26T15:00:00Z",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-09-17T02:41:36.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-2756
Vulnerability from cvelistv5
Published
2020-04-15 13:29
Modified
2024-09-30 15:41
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 7u251, 8u241, 11.0.6, 14 Version: Java SE Embedded: 8u241 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:17:02.285Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-2756",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T15:00:07.558268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:41:43.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 7u251, 8u241, 11.0.6, 14"
},
{
"status": "affected",
"version": "Java SE Embedded: 8u241"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-25T15:06:33",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-2756",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 7u251, 8u241, 11.0.6, 14"
},
{
"version_affected": "=",
"version_value": "Java SE Embedded: 8u241"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
]
},
"impact": {
"cvss": {
"baseScore": "3.7",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200416-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "GLSA-202209-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202209-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-2756",
"datePublished": "2020-04-15T13:29:44",
"dateReserved": "2019-12-10T00:00:00",
"dateUpdated": "2024-09-30T15:41:43.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-2805
Vulnerability from cvelistv5
Published
2020-04-15 13:29
Modified
2024-09-30 14:47
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 7u251, 8u241, 11.0.6, 14 Version: Java SE Embedded: 8u241 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:17:02.632Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-2805",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T14:41:30.438557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T14:47:34.000Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 7u251, 8u241, 11.0.6, 14"
},
{
"status": "affected",
"version": "Java SE Embedded: 8u241"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-25T15:06:44",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-2805",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 7u251, 8u241, 11.0.6, 14"
},
{
"version_affected": "=",
"version_value": "Java SE Embedded: 8u241"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)."
}
]
},
"impact": {
"cvss": {
"baseScore": "8.3",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200416-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"name": "GLSA-202209-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202209-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-2805",
"datePublished": "2020-04-15T13:29:47",
"dateReserved": "2019-12-10T00:00:00",
"dateUpdated": "2024-09-30T14:47:34.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14579
Vulnerability from cvelistv5
Published
2020-07-15 17:34
Modified
2024-09-27 18:37
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 7u261, 8u251 Version: Java SE Embedded: 8u251 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:35.006Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "DSA-4734",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "GLSA-202008-24",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202008-24"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "openSUSE-SU-2020:1893",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-14579",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T17:58:53.726663Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T18:37:57.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 7u261, 8u251"
},
{
"status": "affected",
"version": "Java SE Embedded: 8u251"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-25T15:06:49",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "DSA-4734",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "GLSA-202008-24",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202008-24"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "openSUSE-SU-2020:1893",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-14579",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 7u261, 8u251"
},
{
"version_affected": "=",
"version_value": "Java SE Embedded: 8u251"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
]
},
"impact": {
"cvss": {
"baseScore": "3.7",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200717-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "DSA-4734",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "GLSA-202008-24",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202008-24"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "openSUSE-SU-2020:1893",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202209-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-14579",
"datePublished": "2020-07-15T17:34:28",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-09-27T18:37:57.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-3449
Vulnerability from cvelistv5
Published
2021-03-25 14:25
Modified
2024-09-17 03:43
Severity ?
EPSS score ?
Summary
NULL pointer deref in signature_algorithms processing
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:53:17.609Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.openssl.org/news/secadv/20210325.txt"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148"
},
{
"name": "20210325 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd"
},
{
"name": "DSA-4875",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4875"
},
{
"name": "[oss-security] 20210327 OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/27/1"
},
{
"name": "[oss-security] 20210327 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/27/2"
},
{
"name": "[oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/28/3"
},
{
"name": "[oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/28/4"
},
{
"name": "GLSA-202103-03",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202103-03"
},
{
"name": "FEDORA-2021-cbf14ab8f9",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2021-10"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2021-09"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210513-0002/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210326-0006/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2021-06"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2021-05"
},
{
"tags": [
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10356"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845"
},
{
"tags": [
"x_transferred"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013"
},
{
"name": "[debian-lts-announce] 20210831 [SECURITY] [DLA 2751-1] postgresql-9.6 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"status": "affected",
"version": "Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j)"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Peter K\u00e4stle (Nokia) and Samuel Sapalski (Nokia)"
}
],
"datePublic": "2021-03-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j)."
}
],
"metrics": [
{
"other": {
"content": {
"lang": "eng",
"url": "https://www.openssl.org/policies/secpolicy.html#High",
"value": "High"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "NULL pointer dereference",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T19:05:57.096577",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"url": "https://www.openssl.org/news/secadv/20210325.txt"
},
{
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148"
},
{
"name": "20210325 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021",
"tags": [
"vendor-advisory"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd"
},
{
"name": "DSA-4875",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4875"
},
{
"name": "[oss-security] 20210327 OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/27/1"
},
{
"name": "[oss-security] 20210327 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/27/2"
},
{
"name": "[oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/28/3"
},
{
"name": "[oss-security] 20210328 Re: OpenSSL 1.1.1 CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT, CVE-2021-3449 NULL pointer deref in signature_algorithms processing",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/28/4"
},
{
"name": "GLSA-202103-03",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202103-03"
},
{
"name": "FEDORA-2021-cbf14ab8f9",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/"
},
{
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"url": "https://www.tenable.com/security/tns-2021-10"
},
{
"url": "https://www.tenable.com/security/tns-2021-09"
},
{
"url": "https://security.netapp.com/advisory/ntap-20210513-0002/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20210326-0006/"
},
{
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc"
},
{
"url": "https://www.tenable.com/security/tns-2021-06"
},
{
"url": "https://www.tenable.com/security/tns-2021-05"
},
{
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10356"
},
{
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf"
},
{
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845"
},
{
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013"
},
{
"name": "[debian-lts-announce] 20210831 [SECURITY] [DLA 2751-1] postgresql-9.6 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
}
],
"title": "NULL pointer deref in signature_algorithms processing"
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2021-3449",
"datePublished": "2021-03-25T14:25:13.659307Z",
"dateReserved": "2021-03-17T00:00:00",
"dateUpdated": "2024-09-17T03:43:55.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-1303
Vulnerability from cvelistv5
Published
2018-03-26 15:00
Modified
2024-09-17 02:10
Severity ?
EPSS score ?
Summary
A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache HTTP Server |
Version: 2.4.5 to 2.4.29 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:38.124Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "USN-3627-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3627-1/"
},
{
"name": "103522",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103522"
},
{
"name": "DSA-4164",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4164"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "RHSA-2018:3558",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3558"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "USN-3627-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3627-2/"
},
{
"name": "1040572",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040572"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "[oss-security] 20180323 CVE-2018-1303: Possible out of bound read in mod_cache_socache",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/3"
},
{
"name": "RHSA-2019:0366",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [11/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache HTTP Server",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.4.5 to 2.4.29"
}
]
}
],
"datePublic": "2018-03-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Possible out of bound read in mod_cache_socache",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-06T10:10:46",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "USN-3627-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3627-1/"
},
{
"name": "103522",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103522"
},
{
"name": "DSA-4164",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4164"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "RHSA-2018:3558",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3558"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "USN-3627-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3627-2/"
},
{
"name": "1040572",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040572"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "[oss-security] 20180323 CVE-2018-1303: Possible out of bound read in mod_cache_socache",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/3"
},
{
"name": "RHSA-2019:0366",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [11/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-03-23T00:00:00",
"ID": "CVE-2018-1303",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
{
"version_value": "2.4.5 to 2.4.29"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Possible out of bound read in mod_cache_socache"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "USN-3627-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3627-1/"
},
{
"name": "103522",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103522"
},
{
"name": "DSA-4164",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4164"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180601-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "RHSA-2018:3558",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3558"
},
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "USN-3627-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3627-2/"
},
{
"name": "1040572",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040572"
},
{
"name": "https://httpd.apache.org/security/vulnerabilities_24.html",
"refsource": "CONFIRM",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "[oss-security] 20180323 CVE-2018-1303: Possible out of bound read in mod_cache_socache",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/3"
},
{
"name": "RHSA-2019:0366",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "https://www.tenable.com/security/tns-2019-09",
"refsource": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [11/13] - /httpd/site/trunk/content/security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1303",
"datePublished": "2018-03-26T15:00:00Z",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-09-17T02:10:32.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-1559
Vulnerability from cvelistv5
Published
2019-02-27 23:00
Modified
2024-09-17 04:20
Severity ?
EPSS score ?
Summary
0-byte record padding oracle
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T18:20:27.982Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "107174",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107174"
},
{
"name": "GLSA-201903-10",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201903-10"
},
{
"name": "USN-3899-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3899-1/"
},
{
"name": "[debian-lts-announce] 20190301 [SECURITY] [DLA 1701-1] openssl security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html"
},
{
"name": "DSA-4400",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2019/dsa-4400"
},
{
"name": "openSUSE-SU-2019:1076",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"
},
{
"name": "openSUSE-SU-2019:1105",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html"
},
{
"name": "openSUSE-SU-2019:1173",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html"
},
{
"name": "openSUSE-SU-2019:1175",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html"
},
{
"name": "openSUSE-SU-2019:1432",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html"
},
{
"name": "openSUSE-SU-2019:1637",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html"
},
{
"name": "RHSA-2019:2304",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2304"
},
{
"name": "RHSA-2019:2439",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2439"
},
{
"name": "RHSA-2019:2437",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"name": "RHSA-2019:2471",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2471"
},
{
"name": "FEDORA-2019-db06efdea1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/"
},
{
"name": "FEDORA-2019-00c25b9379",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/"
},
{
"name": "FEDORA-2019-9a0a7c0986",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/"
},
{
"name": "RHSA-2019:3929",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3929"
},
{
"name": "RHSA-2019:3931",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3931"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "USN-4376-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4376-2/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190301-0001/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190301-0002/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openssl.org/news/secadv/20190226.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K18549143"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2019-02"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190423-0002/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2019-03"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10282"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K18549143?utm_source=f5support\u0026amp%3Butm_medium=RSS"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"status": "affected",
"version": "Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q)"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt"
}
],
"datePublic": "2019-02-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q)."
}
],
"metrics": [
{
"other": {
"content": {
"lang": "eng",
"url": "https://www.openssl.org/policies/secpolicy.html#Moderate",
"value": "Moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Padding Oracle",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-20T14:42:01",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"name": "107174",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107174"
},
{
"name": "GLSA-201903-10",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201903-10"
},
{
"name": "USN-3899-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3899-1/"
},
{
"name": "[debian-lts-announce] 20190301 [SECURITY] [DLA 1701-1] openssl security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html"
},
{
"name": "DSA-4400",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2019/dsa-4400"
},
{
"name": "openSUSE-SU-2019:1076",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"
},
{
"name": "openSUSE-SU-2019:1105",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html"
},
{
"name": "openSUSE-SU-2019:1173",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html"
},
{
"name": "openSUSE-SU-2019:1175",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html"
},
{
"name": "openSUSE-SU-2019:1432",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html"
},
{
"name": "openSUSE-SU-2019:1637",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html"
},
{
"name": "RHSA-2019:2304",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2304"
},
{
"name": "RHSA-2019:2439",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2439"
},
{
"name": "RHSA-2019:2437",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"name": "RHSA-2019:2471",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2471"
},
{
"name": "FEDORA-2019-db06efdea1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/"
},
{
"name": "FEDORA-2019-00c25b9379",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/"
},
{
"name": "FEDORA-2019-9a0a7c0986",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/"
},
{
"name": "RHSA-2019:3929",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3929"
},
{
"name": "RHSA-2019:3931",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3931"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "USN-4376-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4376-2/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190301-0001/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190301-0002/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openssl.org/news/secadv/20190226.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.f5.com/csp/article/K18549143"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.tenable.com/security/tns-2019-02"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190423-0002/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.tenable.com/security/tns-2019-03"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10282"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.f5.com/csp/article/K18549143?utm_source=f5support\u0026amp%3Butm_medium=RSS"
}
],
"title": "0-byte record padding oracle",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "openssl-security@openssl.org",
"DATE_PUBLIC": "2019-02-26",
"ID": "CVE-2019-1559",
"STATE": "PUBLIC",
"TITLE": "0-byte record padding oracle"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenSSL",
"version": {
"version_data": [
{
"version_value": "Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q)"
}
]
}
}
]
},
"vendor_name": "OpenSSL"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q)."
}
]
},
"impact": [
{
"lang": "eng",
"url": "https://www.openssl.org/policies/secpolicy.html#Moderate",
"value": "Moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Padding Oracle"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "107174",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107174"
},
{
"name": "GLSA-201903-10",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201903-10"
},
{
"name": "USN-3899-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3899-1/"
},
{
"name": "[debian-lts-announce] 20190301 [SECURITY] [DLA 1701-1] openssl security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html"
},
{
"name": "DSA-4400",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2019/dsa-4400"
},
{
"name": "openSUSE-SU-2019:1076",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"
},
{
"name": "openSUSE-SU-2019:1105",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html"
},
{
"name": "openSUSE-SU-2019:1173",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html"
},
{
"name": "openSUSE-SU-2019:1175",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html"
},
{
"name": "openSUSE-SU-2019:1432",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html"
},
{
"name": "openSUSE-SU-2019:1637",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html"
},
{
"name": "RHSA-2019:2304",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2304"
},
{
"name": "RHSA-2019:2439",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2439"
},
{
"name": "RHSA-2019:2437",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2437"
},
{
"name": "RHSA-2019:2471",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2471"
},
{
"name": "FEDORA-2019-db06efdea1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/"
},
{
"name": "FEDORA-2019-00c25b9379",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/"
},
{
"name": "FEDORA-2019-9a0a7c0986",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/"
},
{
"name": "RHSA-2019:3929",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3929"
},
{
"name": "RHSA-2019:3931",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3931"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "USN-4376-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4376-2/"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190301-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190301-0001/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190301-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190301-0002/"
},
{
"name": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e",
"refsource": "CONFIRM",
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e"
},
{
"name": "https://www.openssl.org/news/secadv/20190226.txt",
"refsource": "CONFIRM",
"url": "https://www.openssl.org/news/secadv/20190226.txt"
},
{
"name": "https://support.f5.com/csp/article/K18549143",
"refsource": "CONFIRM",
"url": "https://support.f5.com/csp/article/K18549143"
},
{
"name": "https://www.tenable.com/security/tns-2019-02",
"refsource": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2019-02"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190423-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190423-0002/"
},
{
"name": "https://www.tenable.com/security/tns-2019-03",
"refsource": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2019-03"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10282",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10282"
},
{
"name": "https://support.f5.com/csp/article/K18549143?utm_source=f5support\u0026amp;utm_medium=RSS",
"refsource": "CONFIRM",
"url": "https://support.f5.com/csp/article/K18549143?utm_source=f5support\u0026amp;utm_medium=RSS"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2019-1559",
"datePublished": "2019-02-27T23:00:00Z",
"dateReserved": "2018-11-28T00:00:00",
"dateUpdated": "2024-09-17T04:20:35.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-37434
Vulnerability from cvelistv5
Published
2022-08-05 00:00
Modified
2024-08-03 10:29
Severity ?
EPSS score ?
Summary
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:29:21.032Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ivd38/zlib_overflow"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764"
},
{
"name": "[oss-security] 20220805 zlib buffer overflow",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/05/2"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/curl/curl/issues/9271"
},
{
"name": "[oss-security] 20220808 Re: zlib buffer overflow",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/09/1"
},
{
"name": "FEDORA-2022-25e4dbedf9",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/"
},
{
"name": "DSA-5218",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5218"
},
{
"name": "FEDORA-2022-15da0cf165",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220901-0005/"
},
{
"name": "FEDORA-2022-b8232d1cca",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/"
},
{
"name": "[debian-lts-announce] 20220912 [SECURITY] [DLA 3103-1] zlib security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html"
},
{
"name": "FEDORA-2022-3c28ae0cd8",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/"
},
{
"name": "FEDORA-2022-0b517a5397",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT213489"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT213488"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT213494"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT213493"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT213491"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT213490"
},
{
"name": "20221030 APPLE-SA-2022-10-27-5 Additional information for APPLE-SA-2022-10-24-2 macOS Ventura 13",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/Oct/41"
},
{
"name": "20221030 APPLE-SA-2022-10-27-2 Additional information for APPLE-SA-2022-10-24-1 iOS 16.1 and iPadOS 16",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/Oct/38"
},
{
"name": "20221030 APPLE-SA-2022-10-27-1 iOS 15.7.1 and iPadOS 15.7.1",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/Oct/37"
},
{
"name": "20221030 APPLE-SA-2022-10-27-6 Additional information for APPLE-SA-2022-10-24-3 macOS Monterey 12.6.1",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/Oct/42"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230427-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "unknown",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-30T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/ivd38/zlib_overflow"
},
{
"url": "https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1"
},
{
"url": "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063"
},
{
"url": "https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764"
},
{
"name": "[oss-security] 20220805 zlib buffer overflow",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/05/2"
},
{
"url": "https://github.com/curl/curl/issues/9271"
},
{
"name": "[oss-security] 20220808 Re: zlib buffer overflow",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/09/1"
},
{
"name": "FEDORA-2022-25e4dbedf9",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/"
},
{
"name": "DSA-5218",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5218"
},
{
"name": "FEDORA-2022-15da0cf165",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220901-0005/"
},
{
"name": "FEDORA-2022-b8232d1cca",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/"
},
{
"name": "[debian-lts-announce] 20220912 [SECURITY] [DLA 3103-1] zlib security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html"
},
{
"name": "FEDORA-2022-3c28ae0cd8",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/"
},
{
"name": "FEDORA-2022-0b517a5397",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/"
},
{
"url": "https://support.apple.com/kb/HT213489"
},
{
"url": "https://support.apple.com/kb/HT213488"
},
{
"url": "https://support.apple.com/kb/HT213494"
},
{
"url": "https://support.apple.com/kb/HT213493"
},
{
"url": "https://support.apple.com/kb/HT213491"
},
{
"url": "https://support.apple.com/kb/HT213490"
},
{
"name": "20221030 APPLE-SA-2022-10-27-5 Additional information for APPLE-SA-2022-10-24-2 macOS Ventura 13",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/Oct/41"
},
{
"name": "20221030 APPLE-SA-2022-10-27-2 Additional information for APPLE-SA-2022-10-24-1 iOS 16.1 and iPadOS 16",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/Oct/38"
},
{
"name": "20221030 APPLE-SA-2022-10-27-1 iOS 15.7.1 and iPadOS 15.7.1",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/Oct/37"
},
{
"name": "20221030 APPLE-SA-2022-10-27-6 Additional information for APPLE-SA-2022-10-24-3 macOS Monterey 12.6.1",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/Oct/42"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230427-0007/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-37434",
"datePublished": "2022-08-05T00:00:00",
"dateReserved": "2022-08-05T00:00:00",
"dateUpdated": "2024-08-03T10:29:21.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-2755
Vulnerability from cvelistv5
Published
2020-04-15 13:29
Modified
2024-09-30 15:41
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 8u241, 11.0.6, 14 Version: Java SE Embedded: 8u241 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:17:02.660Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "DSA-4668",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-2755",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T15:00:10.185809Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:41:54.140Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 8u241, 11.0.6, 14"
},
{
"status": "affected",
"version": "Java SE Embedded: 8u241"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-25T15:06:51",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "DSA-4668",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-2755",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 8u241, 11.0.6, 14"
},
{
"version_affected": "=",
"version_value": "Java SE Embedded: 8u241"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
]
},
"impact": {
"cvss": {
"baseScore": "3.7",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200416-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "DSA-4668",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "GLSA-202209-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202209-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-2755",
"datePublished": "2020-04-15T13:29:44",
"dateReserved": "2019-12-10T00:00:00",
"dateUpdated": "2024-09-30T15:41:54.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-0778
Vulnerability from cvelistv5
Published
2022-03-15 17:05
Modified
2024-09-17 00:01
Severity ?
EPSS score ?
Summary
Infinite loop in BN_mod_sqrt() reachable when parsing certificates
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.765Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.openssl.org/news/secadv/20220315.txt"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a466912611aa6cbdf550cd10601390e587451246"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3118eb64934499d93db3230748a452351d1d9a65"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=380085481c64de749a6dd25cdf0bcf4360b30f83"
},
{
"name": "DSA-5103",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5103"
},
{
"name": "[debian-lts-announce] 20220317 [SECURITY] [DLA 2952-1] openssl security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html"
},
{
"name": "[debian-lts-announce] 20220317 [SECURITY] [DLA 2953-1] openssl1.0 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html"
},
{
"name": "FEDORA-2022-a5f51502f0",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/"
},
{
"name": "FEDORA-2022-9e88b5d8d7",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/"
},
{
"name": "FEDORA-2022-8bb51f6901",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220321-0002/"
},
{
"tags": [
"x_transferred"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2022-06"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2022-07"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2022-08"
},
{
"name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/May/33"
},
{
"name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/May/35"
},
{
"name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/May/38"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT213257"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT213256"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT213255"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2022-09"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220429-0005/"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf"
},
{
"name": "GLSA-202210-02",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202210-02"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"status": "affected",
"version": "Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1)"
},
{
"status": "affected",
"version": "Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m)"
},
{
"status": "affected",
"version": "Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc)"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tavis Ormandy (Google)"
}
],
"datePublic": "2022-03-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc)."
}
],
"metrics": [
{
"other": {
"content": {
"lang": "eng",
"url": "https://www.openssl.org/policies/secpolicy.html#High",
"value": "High"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Infinite loop",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T19:07:01.186352",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"url": "https://www.openssl.org/news/secadv/20220315.txt"
},
{
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a466912611aa6cbdf550cd10601390e587451246"
},
{
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3118eb64934499d93db3230748a452351d1d9a65"
},
{
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=380085481c64de749a6dd25cdf0bcf4360b30f83"
},
{
"name": "DSA-5103",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5103"
},
{
"name": "[debian-lts-announce] 20220317 [SECURITY] [DLA 2952-1] openssl security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html"
},
{
"name": "[debian-lts-announce] 20220317 [SECURITY] [DLA 2953-1] openssl1.0 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html"
},
{
"name": "FEDORA-2022-a5f51502f0",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/"
},
{
"name": "FEDORA-2022-9e88b5d8d7",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/"
},
{
"name": "FEDORA-2022-8bb51f6901",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220321-0002/"
},
{
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002"
},
{
"url": "https://www.tenable.com/security/tns-2022-06"
},
{
"url": "https://www.tenable.com/security/tns-2022-07"
},
{
"url": "https://www.tenable.com/security/tns-2022-08"
},
{
"name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/May/33"
},
{
"name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/May/35"
},
{
"name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/May/38"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"url": "https://support.apple.com/kb/HT213257"
},
{
"url": "https://support.apple.com/kb/HT213256"
},
{
"url": "https://support.apple.com/kb/HT213255"
},
{
"url": "https://www.tenable.com/security/tns-2022-09"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220429-0005/"
},
{
"url": "http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf"
},
{
"name": "GLSA-202210-02",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202210-02"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
}
],
"title": "Infinite loop in BN_mod_sqrt() reachable when parsing certificates"
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2022-0778",
"datePublished": "2022-03-15T17:05:20.382533Z",
"dateReserved": "2022-02-28T00:00:00",
"dateUpdated": "2024-09-17T00:01:02.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-1283
Vulnerability from cvelistv5
Published
2018-03-26 15:00
Modified
2024-09-16 19:36
Severity ?
EPSS score ?
Summary
In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache HTTP Server |
Version: 2.4.0 to 2.4.29 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.277Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "USN-3627-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3627-1/"
},
{
"name": "DSA-4164",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4164"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "RHSA-2018:3558",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3558"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "1040568",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040568"
},
{
"name": "USN-3627-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3627-2/"
},
{
"name": "103520",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103520"
},
{
"name": "[oss-security] 20180323 CVE-2018-1283: Tampering of mod_session data for CGI applications",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "RHSA-2019:0366",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [11/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache HTTP Server",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.4.0 to 2.4.29"
}
]
}
],
"datePublic": "2018-03-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a \"Session\" header. This comes from the \"HTTP_SESSION\" variable name used by mod_session to forward its data to CGIs, since the prefix \"HTTP_\" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Tampering of mod_session data for CGI applications.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-06T10:12:05",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "USN-3627-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3627-1/"
},
{
"name": "DSA-4164",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4164"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "RHSA-2018:3558",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3558"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "1040568",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040568"
},
{
"name": "USN-3627-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3627-2/"
},
{
"name": "103520",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103520"
},
{
"name": "[oss-security] 20180323 CVE-2018-1283: Tampering of mod_session data for CGI applications",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "RHSA-2019:0366",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [11/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-03-23T00:00:00",
"ID": "CVE-2018-1283",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
{
"version_value": "2.4.0 to 2.4.29"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a \"Session\" header. This comes from the \"HTTP_SESSION\" variable name used by mod_session to forward its data to CGIs, since the prefix \"HTTP_\" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Tampering of mod_session data for CGI applications."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "USN-3627-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3627-1/"
},
{
"name": "DSA-4164",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4164"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180601-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "RHSA-2018:3558",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3558"
},
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "1040568",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040568"
},
{
"name": "USN-3627-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3627-2/"
},
{
"name": "103520",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103520"
},
{
"name": "[oss-security] 20180323 CVE-2018-1283: Tampering of mod_session data for CGI applications",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/4"
},
{
"name": "https://httpd.apache.org/security/vulnerabilities_24.html",
"refsource": "CONFIRM",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "RHSA-2019:0366",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "https://www.tenable.com/security/tns-2019-09",
"refsource": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [11/13] - /httpd/site/trunk/content/security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1283",
"datePublished": "2018-03-26T15:00:00Z",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-09-16T19:36:29.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21983
Vulnerability from cvelistv5
Published
2024-02-16 22:35
Modified
2024-08-01 22:35
Severity ?
EPSS score ?
Summary
Denial of Service Vulnerability in StorageGRID (formerly StorageGRID Webscale)
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | NetApp | StorageGRID |
Version: 0 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21983",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T15:30:00.617001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T15:58:32.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:35:34.510Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240216-0012/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "StorageGRID",
"vendor": "NetApp",
"versions": [
{
"lessThan": "11.8",
"status": "affected",
"version": "0",
"versionType": "general availability"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8 \nare susceptible to a Denial of Service (DoS) vulnerability. Successful \nexploit by an authenticated attacker could lead to an out of memory \ncondition or node reboot.\n\n"
}
],
"value": "StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8 \nare susceptible to a Denial of Service (DoS) vulnerability. Successful \nexploit by an authenticated attacker could lead to an out of memory \ncondition or node reboot.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-16T22:35:02.365Z",
"orgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"shortName": "netapp"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20240216-0012/"
}
],
"source": {
"advisory": "NTAP-20240216-0012",
"discovery": "UNKNOWN"
},
"title": "Denial of Service Vulnerability in StorageGRID (formerly StorageGRID Webscale) ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"assignerShortName": "netapp",
"cveId": "CVE-2024-21983",
"datePublished": "2024-02-16T22:35:02.365Z",
"dateReserved": "2024-01-03T19:45:25.346Z",
"dateUpdated": "2024-08-01T22:35:34.510Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-2803
Vulnerability from cvelistv5
Published
2020-04-15 13:29
Modified
2024-09-30 14:48
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 7u251, 8u241, 11.0.6, 14 Version: Java SE Embedded: 8u241 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:17:02.732Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-2803",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T14:41:31.754667Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T14:48:44.826Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 7u251, 8u241, 11.0.6, 14"
},
{
"status": "affected",
"version": "Java SE Embedded: 8u241"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle GraalVM Enterprise Edition.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-25T15:06:36",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-2803",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 7u251, 8u241, 11.0.6, 14"
},
{
"version_affected": "=",
"version_value": "Java SE Embedded: 8u241"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)."
}
]
},
"impact": {
"cvss": {
"baseScore": "8.3",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle GraalVM Enterprise Edition."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200416-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"name": "GLSA-202209-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202209-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-2803",
"datePublished": "2020-04-15T13:29:47",
"dateReserved": "2019-12-10T00:00:00",
"dateUpdated": "2024-09-30T14:48:44.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-2825
Vulnerability from cvelistv5
Published
2018-04-19 02:00
Modified
2024-08-05 04:29
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). The supported version that is affected is Java SE: 10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securitytracker.com/id/1040697 | vdb-entry, x_refsource_SECTRACK | |
| https://usn.ubuntu.com/3747-1/ | vendor-advisory, x_refsource_UBUNTU | |
| https://security.netapp.com/advisory/ntap-20180419-0001/ | x_refsource_CONFIRM | |
| https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 | x_refsource_CONFIRM | |
| http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/103782 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 10 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:29:44.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1040697",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040697"
},
{
"name": "USN-3747-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3747-1/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180419-0001/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"name": "103782",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103782"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 10"
}
]
}
],
"datePublic": "2018-03-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). The supported version that is affected is Java SE: 10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-11-30T20:57:01",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"name": "1040697",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040697"
},
{
"name": "USN-3747-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3747-1/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180419-0001/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"name": "103782",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103782"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2018-2825",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 10"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). The supported version that is affected is Java SE: 10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1040697",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040697"
},
{
"name": "USN-3747-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3747-1/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180419-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180419-0001/"
},
{
"name": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0",
"refsource": "CONFIRM",
"url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"name": "103782",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103782"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2018-2825",
"datePublished": "2018-04-19T02:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-08-05T04:29:44.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21984
Vulnerability from cvelistv5
Published
2024-02-16 22:37
Modified
2024-08-01 22:35
Severity ?
EPSS score ?
Summary
Reflected Cross-Site Scripting Vulnerability in StorageGRID (formerly StorageGRID Webscale)
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | NetApp | StorageGRID |
Version: 0 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21984",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T15:11:36.367921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:20:57.011Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:35:34.659Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240216-0013/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "StorageGRID",
"vendor": "NetApp",
"versions": [
{
"lessThan": "11.8",
"status": "affected",
"version": "0",
"versionType": "general availability"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8 \nare susceptible to a difficult to exploit Reflected Cross-Site Scripting\n (XSS) vulnerability. Successful exploit requires the attacker to know \nspecific information about the target instance and trick a privileged \nuser into clicking a specially crafted link. This could allow the \nattacker to view or modify configuration settings or add or modify user \naccounts. \n\n\n\n\n"
}
],
"value": "StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8 \nare susceptible to a difficult to exploit Reflected Cross-Site Scripting\n (XSS) vulnerability. Successful exploit requires the attacker to know \nspecific information about the target instance and trick a privileged \nuser into clicking a specially crafted link. This could allow the \nattacker to view or modify configuration settings or add or modify user \naccounts. \n\n\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-16T22:37:47.580Z",
"orgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"shortName": "netapp"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20240216-0013/"
}
],
"source": {
"advisory": "NTAP-20240216-0013",
"discovery": "UNKNOWN"
},
"title": "Reflected Cross-Site Scripting Vulnerability in StorageGRID (formerly StorageGRID Webscale)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"assignerShortName": "netapp",
"cveId": "CVE-2024-21984",
"datePublished": "2024-02-16T22:37:47.580Z",
"dateReserved": "2024-01-03T19:45:25.346Z",
"dateUpdated": "2024-08-01T22:35:34.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-1312
Vulnerability from cvelistv5
Published
2018-03-26 15:00
Modified
2024-09-16 19:14
Severity ?
EPSS score ?
Summary
In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache HTTP Server |
Version: 2.0.42 to 2.4.29 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "USN-3627-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3627-1/"
},
{
"name": "DSA-4164",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4164"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "RHSA-2018:3558",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3558"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "USN-3627-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3627-2/"
},
{
"name": "103524",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103524"
},
{
"name": "[oss-security] 20180323 CVE-2018-1312: Weak Digest auth nonce generation in mod_auth_digest",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/7"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "[debian-lts-announce] 20180530 [SECURITY] [DLA 1389-1] apache2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/05/msg00020.html"
},
{
"name": "1040571",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040571"
},
{
"name": "RHSA-2019:0366",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "USN-3937-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3937-2/"
},
{
"name": "RHSA-2019:1898",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1898"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [11/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache HTTP Server",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.0.42 to 2.4.29"
}
]
}
],
"datePublic": "2018-03-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Authentication replay mitigation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-06T10:12:21",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "USN-3627-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3627-1/"
},
{
"name": "DSA-4164",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4164"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "RHSA-2018:3558",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3558"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "USN-3627-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3627-2/"
},
{
"name": "103524",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103524"
},
{
"name": "[oss-security] 20180323 CVE-2018-1312: Weak Digest auth nonce generation in mod_auth_digest",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/7"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "[debian-lts-announce] 20180530 [SECURITY] [DLA 1389-1] apache2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/05/msg00020.html"
},
{
"name": "1040571",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040571"
},
{
"name": "RHSA-2019:0366",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "USN-3937-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3937-2/"
},
{
"name": "RHSA-2019:1898",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1898"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [11/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-03-23T00:00:00",
"ID": "CVE-2018-1312",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
{
"version_value": "2.0.42 to 2.4.29"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Authentication replay mitigation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "USN-3627-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3627-1/"
},
{
"name": "DSA-4164",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4164"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180601-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180601-0004/"
},
{
"name": "RHSA-2018:3558",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3558"
},
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03909en_us"
},
{
"name": "RHSA-2019:0367",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0367"
},
{
"name": "USN-3627-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3627-2/"
},
{
"name": "103524",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103524"
},
{
"name": "[oss-security] 20180323 CVE-2018-1312: Weak Digest auth nonce generation in mod_auth_digest",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2018/03/24/7"
},
{
"name": "https://httpd.apache.org/security/vulnerabilities_24.html",
"refsource": "CONFIRM",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "[debian-lts-announce] 20180530 [SECURITY] [DLA 1389-1] apache2 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/05/msg00020.html"
},
{
"name": "1040571",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040571"
},
{
"name": "RHSA-2019:0366",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0366"
},
{
"name": "USN-3937-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3937-2/"
},
{
"name": "RHSA-2019:1898",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1898"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "https://www.tenable.com/security/tns-2019-09",
"refsource": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [11/13] - /httpd/site/trunk/content/security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1312",
"datePublished": "2018-03-26T15:00:00Z",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-09-16T19:14:07.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-7668
Vulnerability from cvelistv5
Published
2017-06-20 01:00
Modified
2024-08-05 16:12
Severity ?
EPSS score ?
Summary
The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache HTTP Server |
Version: 2.2.32 Version: 2.4.24, 2.4.25 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:28.098Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.apple.com/HT208221"
},
{
"name": "RHSA-2017:2479",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2479"
},
{
"name": "[dev] 20170619 CVE-2017-7668: ap_find_token buffer overread",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/55a068b6a5eec0b3198ae7d96a7cb412352d0ffa7716612c5af3745b%40%3Cdev.httpd.apache.org%3E"
},
{
"name": "RHSA-2017:2483",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2483"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180601-0002/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03908en_us"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03821en_us"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"name": "99137",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99137"
},
{
"name": "DSA-3896",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3896"
},
{
"name": "RHSA-2017:3194",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3194"
},
{
"name": "RHSA-2017:3193",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3193"
},
{
"name": "1038711",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1038711"
},
{
"name": "GLSA-201710-32",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201710-32"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [11/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075467 [2/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache HTTP Server",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.2.32"
},
{
"status": "affected",
"version": "2.4.24, 2.4.25"
}
]
}
],
"datePublic": "2017-06-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-126",
"description": "Denial of Service, Integrity Violation (CWE-126)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-06T10:12:02",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.apple.com/HT208221"
},
{
"name": "RHSA-2017:2479",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2479"
},
{
"name": "[dev] 20170619 CVE-2017-7668: ap_find_token buffer overread",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/55a068b6a5eec0b3198ae7d96a7cb412352d0ffa7716612c5af3745b%40%3Cdev.httpd.apache.org%3E"
},
{
"name": "RHSA-2017:2483",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2483"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180601-0002/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03908en_us"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03821en_us"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"name": "99137",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99137"
},
{
"name": "DSA-3896",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3896"
},
{
"name": "RHSA-2017:3194",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3194"
},
{
"name": "RHSA-2017:3193",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3193"
},
{
"name": "1038711",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1038711"
},
{
"name": "GLSA-201710-32",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201710-32"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [11/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075467 [2/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2017-7668",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
{
"version_value": "2.2.32"
},
{
"version_value": "2.4.24, 2.4.25"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service, Integrity Violation (CWE-126)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.apple.com/HT208221",
"refsource": "CONFIRM",
"url": "https://support.apple.com/HT208221"
},
{
"name": "RHSA-2017:2479",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2479"
},
{
"name": "[dev] 20170619 CVE-2017-7668: ap_find_token buffer overread",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/55a068b6a5eec0b3198ae7d96a7cb412352d0ffa7716612c5af3745b@%3Cdev.httpd.apache.org%3E"
},
{
"name": "RHSA-2017:2483",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2483"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180601-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180601-0002/"
},
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03908en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03908en_us"
},
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03821en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03821en_us"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"name": "99137",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99137"
},
{
"name": "DSA-3896",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3896"
},
{
"name": "RHSA-2017:3194",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:3194"
},
{
"name": "RHSA-2017:3193",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:3193"
},
{
"name": "1038711",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1038711"
},
{
"name": "GLSA-201710-32",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201710-32"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "https://www.tenable.com/security/tns-2019-09",
"refsource": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [11/13] - /httpd/site/trunk/content/security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210603 svn commit: r1075360 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075467 [2/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7668",
"datePublished": "2017-06-20T01:00:00",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-08-05T16:12:28.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14583
Vulnerability from cvelistv5
Published
2020-07-15 17:34
Modified
2024-09-27 18:37
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 7u261, 8u251, 11.0.7, 14.0.1 Version: Java SE Embedded: 8u251 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:53:41.875Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "FEDORA-2020-5d0b4a2b5b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/"
},
{
"name": "USN-4433-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4433-1/"
},
{
"name": "DSA-4734",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "FEDORA-2020-93cc9c3ef2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/"
},
{
"name": "openSUSE-SU-2020:1175",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1191",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "GLSA-202008-24",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202008-24"
},
{
"name": "openSUSE-SU-2020:1893",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-14583",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T17:55:01.769871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T18:37:10.873Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 7u261, 8u251, 11.0.7, 14.0.1"
},
{
"status": "affected",
"version": "Java SE Embedded: 8u251"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle GraalVM Enterprise Edition.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-25T15:06:25",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "FEDORA-2020-5d0b4a2b5b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/"
},
{
"name": "USN-4433-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4433-1/"
},
{
"name": "DSA-4734",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "FEDORA-2020-93cc9c3ef2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/"
},
{
"name": "openSUSE-SU-2020:1175",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1191",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "GLSA-202008-24",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202008-24"
},
{
"name": "openSUSE-SU-2020:1893",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-14583",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 7u261, 8u251, 11.0.7, 14.0.1"
},
{
"version_affected": "=",
"version_value": "Java SE Embedded: 8u251"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)."
}
]
},
"impact": {
"cvss": {
"baseScore": "8.3",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle GraalVM Enterprise Edition."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200717-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "FEDORA-2020-5d0b4a2b5b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/"
},
{
"name": "USN-4433-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4433-1/"
},
{
"name": "DSA-4734",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "FEDORA-2020-93cc9c3ef2",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/"
},
{
"name": "openSUSE-SU-2020:1175",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1191",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "GLSA-202008-24",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202008-24"
},
{
"name": "openSUSE-SU-2020:1893",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202209-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-14583",
"datePublished": "2020-07-15T17:34:28",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-09-27T18:37:10.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-21994
Vulnerability from cvelistv5
Published
2024-11-08 21:06
Modified
2024-11-09 15:52
Severity ?
EPSS score ?
Summary
CVE-2024-21994 Denial of Service Vulnerability in StorageGRID (formerly StorageGRID Webscale)
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | NetApp | StorageGRID |
Version: 0 < 11.9.0 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21994",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-09T15:52:45.627489Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-09T15:52:48.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "StorageGRID",
"vendor": "NetApp",
"versions": [
{
"lessThan": "11.9.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eStorageGRID (formerly StorageGRID Webscale) versions prior to 11.9 are susceptible to a Denial of Service (DoS) vulnerability. Successful exploit by an authenticated attacker could lead to a service crash.\u003c/p\u003e"
}
],
"value": "StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9 are susceptible to a Denial of Service (DoS) vulnerability. Successful exploit by an authenticated attacker could lead to a service crash."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "789",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T21:06:32.380Z",
"orgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"shortName": "netapp"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20241108-0001/"
}
],
"source": {
"advisory": "NTAP-20241108-0001",
"discovery": "UNKNOWN"
},
"title": "CVE-2024-21994 Denial of Service Vulnerability in StorageGRID (formerly StorageGRID Webscale)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"assignerShortName": "netapp",
"cveId": "CVE-2024-21994",
"datePublished": "2024-11-08T21:06:32.380Z",
"dateReserved": "2024-01-03T19:45:25.347Z",
"dateUpdated": "2024-11-09T15:52:48.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-2800
Vulnerability from cvelistv5
Published
2020-04-15 13:29
Modified
2024-09-30 15:02
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 7u251, 8u241, 11.0.6, 14 Version: Java SE Embedded: 8u241 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:17:02.727Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-2800",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T14:59:16.949849Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:02:23.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 7u251, 8u241, 11.0.6, 14"
},
{
"status": "affected",
"version": "Java SE Embedded: 8u241"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-25T15:06:30",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-2800",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 7u251, 8u241, 11.0.6, 14"
},
{
"version_affected": "=",
"version_value": "Java SE Embedded: 8u241"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)."
}
]
},
"impact": {
"cvss": {
"baseScore": "4.8",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200416-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"name": "GLSA-202209-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202209-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-2800",
"datePublished": "2020-04-15T13:29:46",
"dateReserved": "2019-12-10T00:00:00",
"dateUpdated": "2024-09-30T15:02:23.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23773
Vulnerability from cvelistv5
Published
2022-02-11 00:16
Modified
2024-08-03 03:51
Severity ?
EPSS score ?
Summary
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC | |
| https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20220225-0006/ | x_refsource_CONFIRM | |
| https://security.gentoo.org/glsa/202208-02 | vendor-advisory, x_refsource_GENTOO |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220225-0006/"
},
{
"name": "GLSA-202208-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T15:12:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220225-0006/"
},
{
"name": "GLSA-202208-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-23773",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ",
"refsource": "MISC",
"url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220225-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220225-0006/"
},
{
"name": "GLSA-202208-02",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-23773",
"datePublished": "2022-02-11T00:16:08",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-08-03T03:51:45.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-2781
Vulnerability from cvelistv5
Published
2020-04-15 13:29
Modified
2024-09-30 15:05
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 7u251, 8u241, 11.0.6, 14 Version: Java SE Embedded: 8u241 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:17:02.849Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10318"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-2781",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T14:57:27.440297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:05:39.406Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 7u251, 8u241, 11.0.6, 14"
},
{
"status": "affected",
"version": "Java SE Embedded: 8u241"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-25T15:06:35",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10318"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-2781",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 7u251, 8u241, 11.0.6, 14"
},
{
"version_affected": "=",
"version_value": "Java SE Embedded: 8u241"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
]
},
"impact": {
"cvss": {
"baseScore": "5.3",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200416-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10318",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10318"
},
{
"name": "GLSA-202209-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202209-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-2781",
"datePublished": "2020-04-15T13:29:46",
"dateReserved": "2019-12-10T00:00:00",
"dateUpdated": "2024-09-30T15:05:39.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-2638
Vulnerability from cvelistv5
Published
2018-01-18 02:00
Modified
2024-10-03 20:38
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are Java SE: 8u152 and 9.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:0351 | vendor-advisory, x_refsource_REDHAT | |
| http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html | x_refsource_CONFIRM | |
| https://security.netapp.com/advisory/ntap-20180117-0001/ | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2018:0352 | vendor-advisory, x_refsource_REDHAT | |
| https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2018:0099 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2018:1463 | vendor-advisory, x_refsource_REDHAT | |
| http://www.securitytracker.com/id/1040203 | vdb-entry, x_refsource_SECTRACK | |
| http://www.securityfocus.com/bid/102546 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 8u152 Version: 9.0.1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:21:34.416Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2018:0351",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0351"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180117-0001/"
},
{
"name": "RHSA-2018:0352",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0352"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
},
{
"name": "RHSA-2018:0099",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0099"
},
{
"name": "RHSA-2018:1463",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1463"
},
{
"name": "1040203",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040203"
},
{
"name": "102546",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102546"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-2638",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T19:19:42.892899Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T20:38:40.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 8u152"
},
{
"status": "affected",
"version": "9.0.1"
}
]
}
],
"datePublic": "2018-01-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are Java SE: 8u152 and 9.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-11-30T20:57:01",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"name": "RHSA-2018:0351",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0351"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180117-0001/"
},
{
"name": "RHSA-2018:0352",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0352"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
},
{
"name": "RHSA-2018:0099",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0099"
},
{
"name": "RHSA-2018:1463",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1463"
},
{
"name": "1040203",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040203"
},
{
"name": "102546",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102546"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2018-2638",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 8u152"
},
{
"version_affected": "=",
"version_value": "9.0.1"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are Java SE: 8u152 and 9.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2018:0351",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:0351"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180117-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180117-0001/"
},
{
"name": "RHSA-2018:0352",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:0352"
},
{
"name": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0",
"refsource": "CONFIRM",
"url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
},
{
"name": "RHSA-2018:0099",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:0099"
},
{
"name": "RHSA-2018:1463",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1463"
},
{
"name": "1040203",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040203"
},
{
"name": "102546",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102546"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2018-2638",
"datePublished": "2018-01-18T02:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-10-03T20:38:40.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23772
Vulnerability from cvelistv5
Published
2022-02-11 00:11
Modified
2024-08-03 03:51
Severity ?
EPSS score ?
Summary
Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html | mailing-list, x_refsource_MLIST | |
| https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html | mailing-list, x_refsource_MLIST | |
| https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC | |
| https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20220225-0006/ | x_refsource_CONFIRM | |
| https://security.gentoo.org/glsa/202208-02 | vendor-advisory, x_refsource_GENTOO |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:46.050Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[debian-lts-announce] 20220428 [SECURITY] [DLA 2985-1] golang-1.7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html"
},
{
"name": "[debian-lts-announce] 20220428 [SECURITY] [DLA 2986-1] golang-1.8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220225-0006/"
},
{
"name": "GLSA-202208-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T15:08:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[debian-lts-announce] 20220428 [SECURITY] [DLA 2985-1] golang-1.7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html"
},
{
"name": "[debian-lts-announce] 20220428 [SECURITY] [DLA 2986-1] golang-1.8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220225-0006/"
},
{
"name": "GLSA-202208-02",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-23772",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[debian-lts-announce] 20220428 [SECURITY] [DLA 2985-1] golang-1.7 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html"
},
{
"name": "[debian-lts-announce] 20220428 [SECURITY] [DLA 2986-1] golang-1.8 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ",
"refsource": "MISC",
"url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220225-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220225-0006/"
},
{
"name": "GLSA-202208-02",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-23772",
"datePublished": "2022-02-11T00:11:15",
"dateReserved": "2022-01-20T00:00:00",
"dateUpdated": "2024-08-03T03:51:46.050Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-2778
Vulnerability from cvelistv5
Published
2020-04-15 13:29
Modified
2024-09-30 15:38
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.oracle.com/security-alerts/cpuapr2020.html | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20200416-0004/ | x_refsource_CONFIRM | |
| https://www.debian.org/security/2020/dsa-4662 | vendor-advisory, x_refsource_DEBIAN | |
| https://usn.ubuntu.com/4337-1/ | vendor-advisory, x_refsource_UBUNTU | |
| http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html | vendor-advisory, x_refsource_SUSE |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 11.0.6, 14 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:17:02.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-2778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T14:59:35.969192Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:38:23.112Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 11.0.6, 14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-02T14:06:15",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-2778",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 11.0.6, 14"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)."
}
]
},
"impact": {
"cvss": {
"baseScore": "3.7",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200416-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "openSUSE-SU-2020:0757",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-2778",
"datePublished": "2020-04-15T13:29:45",
"dateReserved": "2019-12-10T00:00:00",
"dateUpdated": "2024-09-30T15:38:23.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-16166
Vulnerability from cvelistv5
Published
2020-07-30 20:05
Modified
2024-08-04 13:37
Severity ?
EPSS score ?
Summary
The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to drivers/char/random.c and kernel/time/timer.c.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:37:53.889Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/torvalds/linux/commit/f227e3ec3b5cad859ad15666874405e8c1bbc1d4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f227e3ec3b5cad859ad15666874405e8c1bbc1d4"
},
{
"name": "openSUSE-SU-2020:1153",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00009.html"
},
{
"name": "FEDORA-2020-8d634e31c0",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MFBCLQWJI5I4G25TVJNLXLAXJ4MERQNW/"
},
{
"name": "FEDORA-2020-2cd6393548",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAPTLPAEKVAJYJ4LHN7VH4CN2W75R2YW/"
},
{
"name": "openSUSE-SU-2020:1236",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00047.html"
},
{
"name": "USN-4526-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4526-1/"
},
{
"name": "USN-4525-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4525-1/"
},
{
"name": "[debian-lts-announce] 20200928 [SECURITY] [DLA 2385-1] linux-4.19 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html"
},
{
"name": "[debian-lts-announce] 20201030 [SECURITY] [DLA 2420-1] linux security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00032.html"
},
{
"name": "[debian-lts-announce] 20201031 [SECURITY] [DLA 2420-2] linux regression update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00034.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200814-0004/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c51f8f88d705e06bd696d7510aff22b33eb8e638"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://arxiv.org/pdf/2012.07432.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to drivers/char/random.c and kernel/time/timer.c."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-14T17:20:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/torvalds/linux/commit/f227e3ec3b5cad859ad15666874405e8c1bbc1d4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f227e3ec3b5cad859ad15666874405e8c1bbc1d4"
},
{
"name": "openSUSE-SU-2020:1153",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00009.html"
},
{
"name": "FEDORA-2020-8d634e31c0",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MFBCLQWJI5I4G25TVJNLXLAXJ4MERQNW/"
},
{
"name": "FEDORA-2020-2cd6393548",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAPTLPAEKVAJYJ4LHN7VH4CN2W75R2YW/"
},
{
"name": "openSUSE-SU-2020:1236",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00047.html"
},
{
"name": "USN-4526-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4526-1/"
},
{
"name": "USN-4525-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4525-1/"
},
{
"name": "[debian-lts-announce] 20200928 [SECURITY] [DLA 2385-1] linux-4.19 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html"
},
{
"name": "[debian-lts-announce] 20201030 [SECURITY] [DLA 2420-1] linux security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00032.html"
},
{
"name": "[debian-lts-announce] 20201031 [SECURITY] [DLA 2420-2] linux regression update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00034.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200814-0004/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c51f8f88d705e06bd696d7510aff22b33eb8e638"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://arxiv.org/pdf/2012.07432.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-16166",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Linux kernel through 5.7.11 allows remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG, aka CID-f227e3ec3b5c. This is related to drivers/char/random.c and kernel/time/timer.c."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/torvalds/linux/commit/f227e3ec3b5cad859ad15666874405e8c1bbc1d4",
"refsource": "MISC",
"url": "https://github.com/torvalds/linux/commit/f227e3ec3b5cad859ad15666874405e8c1bbc1d4"
},
{
"name": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f227e3ec3b5cad859ad15666874405e8c1bbc1d4",
"refsource": "MISC",
"url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f227e3ec3b5cad859ad15666874405e8c1bbc1d4"
},
{
"name": "openSUSE-SU-2020:1153",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00009.html"
},
{
"name": "FEDORA-2020-8d634e31c0",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MFBCLQWJI5I4G25TVJNLXLAXJ4MERQNW/"
},
{
"name": "FEDORA-2020-2cd6393548",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAPTLPAEKVAJYJ4LHN7VH4CN2W75R2YW/"
},
{
"name": "openSUSE-SU-2020:1236",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00047.html"
},
{
"name": "USN-4526-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4526-1/"
},
{
"name": "USN-4525-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4525-1/"
},
{
"name": "[debian-lts-announce] 20200928 [SECURITY] [DLA 2385-1] linux-4.19 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html"
},
{
"name": "[debian-lts-announce] 20201030 [SECURITY] [DLA 2420-1] linux security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00032.html"
},
{
"name": "[debian-lts-announce] 20201031 [SECURITY] [DLA 2420-2] linux regression update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00034.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200814-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200814-0004/"
},
{
"name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c51f8f88d705e06bd696d7510aff22b33eb8e638",
"refsource": "MISC",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c51f8f88d705e06bd696d7510aff22b33eb8e638"
},
{
"name": "https://arxiv.org/pdf/2012.07432.pdf",
"refsource": "MISC",
"url": "https://arxiv.org/pdf/2012.07432.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-16166",
"datePublished": "2020-07-30T20:05:24",
"dateReserved": "2020-07-30T00:00:00",
"dateUpdated": "2024-08-04T13:37:53.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-36160
Vulnerability from cvelistv5
Published
2021-09-16 14:40
Modified
2024-08-04 00:47
Severity ?
EPSS score ?
Summary
mod_proxy_uwsgi out of bound read
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache HTTP Server |
Version: Apache HTTP Server 2.4 < |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.818Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "[httpd-cvs] 20210916 [httpd-site] branch main updated: Revert \"Add descriptions for CVE-2021-33193 CVE-2021-36160\"",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re4162adc051c1a0a79e7a24093f3776373e8733abaff57253fef341d%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210916 [httpd-site] branch main updated: Add descriptions for CVE-2021-33193 CVE-2021-36160",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ree7519d71415ecdd170ff1889cab552d71758d2ba2904a17ded21a70%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "FEDORA-2021-dce7e7738e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"
},
{
"name": "[httpd-users] 20210923 [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "FEDORA-2021-e3f6dd670d",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"
},
{
"name": "[debian-lts-announce] 20210929 [SECURITY] [DLA 2768-1] uwsgi security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00016.html"
},
{
"name": "[httpd-bugs] 20211005 [Bug 65616] New: CVE-2021-36160 regression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra1c05a392587bfe34383dffe1213edc425de8d4afc25b7cefab3e781%40%3Cbugs.httpd.apache.org%3E"
},
{
"name": "[httpd-bugs] 20211005 [Bug 65616] CVE-2021-36160 regression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r73260f6ba9fb52e43d860905fc90462ba5a814afda2d011f32bbd41c%40%3Cbugs.httpd.apache.org%3E"
},
{
"name": "[httpd-bugs] 20211006 [Bug 65616] CVE-2021-36160 regression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7f2746e916ed370239bc1a1025e5ebbf345f79df9ea0ea39e44acfbb%40%3Cbugs.httpd.apache.org%3E"
},
{
"name": "[httpd-bugs] 20211008 [Bug 65616] CVE-2021-36160 regression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3Cbugs.httpd.apache.org%3E"
},
{
"name": "[httpd-bugs] 20211009 [Bug 65616] CVE-2021-36160 regression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r94a61a1517133a19dcf40016e87454ea86e355d06a0cec4c778530f3%40%3Cbugs.httpd.apache.org%3E"
},
{
"name": "DSA-4982",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"name": "[httpd-bugs] 20211011 [Bug 65616] CVE-2021-36160 regression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra87a69d0703d09dc52b86e32b08f8d7327af10acdd5f577a4e82596a%40%3Cbugs.httpd.apache.org%3E"
},
{
"name": "[httpd-bugs] 20211012 [Bug 65616] CVE-2021-36160 regression",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb2341c8786d0f9924f5b666e82d8d170b4804f50a523d750551bef1a%40%3Cbugs.httpd.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20211020 [SECURITY] [DLA 2768-2] uwsgi regression update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00016.html"
},
{
"name": "20211124 Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211008-0004/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "GLSA-202208-20",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-20"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache HTTP Server",
"vendor": "Apache Software Foundation",
"versions": [
{
"changes": [
{
"at": "2.4.30",
"status": "affected"
}
],
"lessThanOrEqual": "2.4.48",
"status": "affected",
"version": "Apache HTTP Server 2.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "LI ZHI XIN from NSFocus Security Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive)."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 out of bound read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-14T01:06:27",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "[httpd-cvs] 20210916 [httpd-site] branch main updated: Revert \"Add descriptions for CVE-2021-33193 CVE-2021-36160\"",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re4162adc051c1a0a79e7a24093f3776373e8733abaff57253fef341d%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210916 [httpd-site] branch main updated: Add descriptions for CVE-2021-33193 CVE-2021-36160",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ree7519d71415ecdd170ff1889cab552d71758d2ba2904a17ded21a70%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "FEDORA-2021-dce7e7738e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"
},
{
"name": "[httpd-users] 20210923 [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "FEDORA-2021-e3f6dd670d",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"
},
{
"name": "[debian-lts-announce] 20210929 [SECURITY] [DLA 2768-1] uwsgi security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00016.html"
},
{
"name": "[httpd-bugs] 20211005 [Bug 65616] New: CVE-2021-36160 regression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra1c05a392587bfe34383dffe1213edc425de8d4afc25b7cefab3e781%40%3Cbugs.httpd.apache.org%3E"
},
{
"name": "[httpd-bugs] 20211005 [Bug 65616] CVE-2021-36160 regression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r73260f6ba9fb52e43d860905fc90462ba5a814afda2d011f32bbd41c%40%3Cbugs.httpd.apache.org%3E"
},
{
"name": "[httpd-bugs] 20211006 [Bug 65616] CVE-2021-36160 regression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7f2746e916ed370239bc1a1025e5ebbf345f79df9ea0ea39e44acfbb%40%3Cbugs.httpd.apache.org%3E"
},
{
"name": "[httpd-bugs] 20211008 [Bug 65616] CVE-2021-36160 regression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3Cbugs.httpd.apache.org%3E"
},
{
"name": "[httpd-bugs] 20211009 [Bug 65616] CVE-2021-36160 regression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r94a61a1517133a19dcf40016e87454ea86e355d06a0cec4c778530f3%40%3Cbugs.httpd.apache.org%3E"
},
{
"name": "DSA-4982",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"name": "[httpd-bugs] 20211011 [Bug 65616] CVE-2021-36160 regression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra87a69d0703d09dc52b86e32b08f8d7327af10acdd5f577a4e82596a%40%3Cbugs.httpd.apache.org%3E"
},
{
"name": "[httpd-bugs] 20211012 [Bug 65616] CVE-2021-36160 regression",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb2341c8786d0f9924f5b666e82d8d170b4804f50a523d750551bef1a%40%3Cbugs.httpd.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20211020 [SECURITY] [DLA 2768-2] uwsgi regression update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00016.html"
},
{
"name": "20211124 Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20211008-0004/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "GLSA-202208-20",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-20"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2021-04-26T00:00:00",
"value": "reported"
},
{
"lang": "en",
"time": "2021-09-16T00:00:00",
"value": "2.4.49 release"
}
],
"title": "mod_proxy_uwsgi out of bound read",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-36160",
"STATE": "PUBLIC",
"TITLE": "mod_proxy_uwsgi out of bound read"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache HTTP Server 2.4",
"version_value": "2.4.48"
},
{
"version_affected": "!\u003c",
"version_name": "Apache HTTP Server 2.4",
"version_value": "2.4.30"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "LI ZHI XIN from NSFocus Security Team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive)."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-125 out of bound read"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://httpd.apache.org/security/vulnerabilities_24.html",
"refsource": "MISC",
"url": "http://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "[httpd-cvs] 20210916 [httpd-site] branch main updated: Revert \"Add descriptions for CVE-2021-33193 CVE-2021-36160\"",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re4162adc051c1a0a79e7a24093f3776373e8733abaff57253fef341d@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210916 [httpd-site] branch main updated: Add descriptions for CVE-2021-33193 CVE-2021-36160",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ree7519d71415ecdd170ff1889cab552d71758d2ba2904a17ded21a70@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "FEDORA-2021-dce7e7738e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"
},
{
"name": "[httpd-users] 20210923 [users@httpd] 2.4.49 security fixes: more info",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] 2.4.49 security fixes: more info",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3Cusers.httpd.apache.org%3E"
},
{
"name": "FEDORA-2021-e3f6dd670d",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"
},
{
"name": "[debian-lts-announce] 20210929 [SECURITY] [DLA 2768-1] uwsgi security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00016.html"
},
{
"name": "[httpd-bugs] 20211005 [Bug 65616] New: CVE-2021-36160 regression",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra1c05a392587bfe34383dffe1213edc425de8d4afc25b7cefab3e781@%3Cbugs.httpd.apache.org%3E"
},
{
"name": "[httpd-bugs] 20211005 [Bug 65616] CVE-2021-36160 regression",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r73260f6ba9fb52e43d860905fc90462ba5a814afda2d011f32bbd41c@%3Cbugs.httpd.apache.org%3E"
},
{
"name": "[httpd-bugs] 20211006 [Bug 65616] CVE-2021-36160 regression",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7f2746e916ed370239bc1a1025e5ebbf345f79df9ea0ea39e44acfbb@%3Cbugs.httpd.apache.org%3E"
},
{
"name": "[httpd-bugs] 20211008 [Bug 65616] CVE-2021-36160 regression",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37@%3Cbugs.httpd.apache.org%3E"
},
{
"name": "[httpd-bugs] 20211009 [Bug 65616] CVE-2021-36160 regression",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r94a61a1517133a19dcf40016e87454ea86e355d06a0cec4c778530f3@%3Cbugs.httpd.apache.org%3E"
},
{
"name": "DSA-4982",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"name": "[httpd-bugs] 20211011 [Bug 65616] CVE-2021-36160 regression",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra87a69d0703d09dc52b86e32b08f8d7327af10acdd5f577a4e82596a@%3Cbugs.httpd.apache.org%3E"
},
{
"name": "[httpd-bugs] 20211012 [Bug 65616] CVE-2021-36160 regression",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb2341c8786d0f9924f5b666e82d8d170b4804f50a523d750551bef1a@%3Cbugs.httpd.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20211020 [SECURITY] [DLA 2768-2] uwsgi regression update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00016.html"
},
{
"name": "20211124 Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20211008-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20211008-0004/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "GLSA-202208-20",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-20"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2021-04-26T00:00:00",
"value": "reported"
},
{
"lang": "en",
"time": "2021-09-16T00:00:00",
"value": "2.4.49 release"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-36160",
"datePublished": "2021-09-16T14:40:18",
"dateReserved": "2021-07-06T00:00:00",
"dateUpdated": "2024-08-04T00:47:43.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-2767
Vulnerability from cvelistv5
Published
2020-04-15 13:29
Modified
2024-09-30 15:40
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.oracle.com/security-alerts/cpuapr2020.html | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20200416-0004/ | x_refsource_CONFIRM | |
| https://www.debian.org/security/2020/dsa-4662 | vendor-advisory, x_refsource_DEBIAN | |
| https://usn.ubuntu.com/4337-1/ | vendor-advisory, x_refsource_UBUNTU | |
| http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html | vendor-advisory, x_refsource_SUSE |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 11.0.6, 14 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:17:02.632Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-2767",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T14:59:51.390149Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:40:08.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 11.0.6, 14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-02T14:06:17",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-2767",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 11.0.6, 14"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)."
}
]
},
"impact": {
"cvss": {
"baseScore": "4.8",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200416-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "openSUSE-SU-2020:0757",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-2767",
"datePublished": "2020-04-15T13:29:45",
"dateReserved": "2019-12-10T00:00:00",
"dateUpdated": "2024-09-30T15:40:08.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-2826
Vulnerability from cvelistv5
Published
2018-04-19 02:00
Modified
2024-08-05 04:29
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). The supported version that is affected is Java SE: 10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securitytracker.com/id/1040697 | vdb-entry, x_refsource_SECTRACK | |
| https://usn.ubuntu.com/3747-1/ | vendor-advisory, x_refsource_UBUNTU | |
| https://security.netapp.com/advisory/ntap-20180419-0001/ | x_refsource_CONFIRM | |
| https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/103796 | vdb-entry, x_refsource_BID | |
| http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 10 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:29:44.829Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1040697",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040697"
},
{
"name": "USN-3747-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3747-1/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180419-0001/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
},
{
"name": "103796",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103796"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 10"
}
]
}
],
"datePublic": "2018-03-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). The supported version that is affected is Java SE: 10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-11-30T20:57:01",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"name": "1040697",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040697"
},
{
"name": "USN-3747-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3747-1/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180419-0001/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
},
{
"name": "103796",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103796"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2018-2826",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 10"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). The supported version that is affected is Java SE: 10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1040697",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040697"
},
{
"name": "USN-3747-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3747-1/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180419-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180419-0001/"
},
{
"name": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0",
"refsource": "CONFIRM",
"url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
},
{
"name": "103796",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103796"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2018-2826",
"datePublished": "2018-04-19T02:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-08-05T04:29:44.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-3167
Vulnerability from cvelistv5
Published
2017-06-20 01:00
Modified
2024-08-05 14:16
Severity ?
EPSS score ?
Summary
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache HTTP Server |
Version: 2.2.0 to 2.2.32 Version: 2.4.0 to 2.4.25 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:16:28.300Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.apple.com/HT208221"
},
{
"name": "RHSA-2017:2479",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2479"
},
{
"name": "RHSA-2017:2483",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2483"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180601-0002/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.nomachine.com/SU08O00185"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03908en_us"
},
{
"name": "RHSA-2017:3475",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3475"
},
{
"name": "99135",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99135"
},
{
"name": "RHSA-2017:3195",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3195"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"name": "RHSA-2017:3476",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3476"
},
{
"name": "[dev] 20170619 CVE-2017-3167: ap_get_basic_auth_pw authentication bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/8409e41a8f7dd9ded37141c38df001be930115428c3d64f70bbdb8b4%40%3Cdev.httpd.apache.org%3E"
},
{
"name": "RHSA-2017:3477",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3477"
},
{
"name": "DSA-3896",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3896"
},
{
"name": "RHSA-2017:3194",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3194"
},
{
"name": "RHSA-2017:3193",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3193"
},
{
"name": "1038711",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1038711"
},
{
"name": "GLSA-201710-32",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201710-32"
},
{
"name": "RHSA-2017:2478",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2478"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache HTTP Server",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "2.2.0 to 2.2.32"
},
{
"status": "affected",
"version": "2.4.0 to 2.4.25"
}
]
}
],
"datePublic": "2017-06-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Authentication Bypass (CWE-287)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-06T10:12:00",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.apple.com/HT208221"
},
{
"name": "RHSA-2017:2479",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2479"
},
{
"name": "RHSA-2017:2483",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2483"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180601-0002/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.nomachine.com/SU08O00185"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03908en_us"
},
{
"name": "RHSA-2017:3475",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3475"
},
{
"name": "99135",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99135"
},
{
"name": "RHSA-2017:3195",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3195"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"name": "RHSA-2017:3476",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3476"
},
{
"name": "[dev] 20170619 CVE-2017-3167: ap_get_basic_auth_pw authentication bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/8409e41a8f7dd9ded37141c38df001be930115428c3d64f70bbdb8b4%40%3Cdev.httpd.apache.org%3E"
},
{
"name": "RHSA-2017:3477",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3477"
},
{
"name": "DSA-3896",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3896"
},
{
"name": "RHSA-2017:3194",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3194"
},
{
"name": "RHSA-2017:3193",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:3193"
},
{
"name": "1038711",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1038711"
},
{
"name": "GLSA-201710-32",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201710-32"
},
{
"name": "RHSA-2017:2478",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2478"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2017-3167",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
{
"version_value": "2.2.0 to 2.2.32"
},
{
"version_value": "2.4.0 to 2.4.25"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Authentication Bypass (CWE-287)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.apple.com/HT208221",
"refsource": "CONFIRM",
"url": "https://support.apple.com/HT208221"
},
{
"name": "RHSA-2017:2479",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2479"
},
{
"name": "RHSA-2017:2483",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2483"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180601-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180601-0002/"
},
{
"name": "https://www.nomachine.com/SU08O00185",
"refsource": "CONFIRM",
"url": "https://www.nomachine.com/SU08O00185"
},
{
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03908en_us",
"refsource": "CONFIRM",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03908en_us"
},
{
"name": "RHSA-2017:3475",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:3475"
},
{
"name": "99135",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99135"
},
{
"name": "RHSA-2017:3195",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:3195"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"name": "RHSA-2017:3476",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:3476"
},
{
"name": "[dev] 20170619 CVE-2017-3167: ap_get_basic_auth_pw authentication bypass",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/8409e41a8f7dd9ded37141c38df001be930115428c3d64f70bbdb8b4@%3Cdev.httpd.apache.org%3E"
},
{
"name": "RHSA-2017:3477",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:3477"
},
{
"name": "DSA-3896",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3896"
},
{
"name": "RHSA-2017:3194",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:3194"
},
{
"name": "RHSA-2017:3193",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:3193"
},
{
"name": "1038711",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1038711"
},
{
"name": "GLSA-201710-32",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201710-32"
},
{
"name": "RHSA-2017:2478",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2478"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "https://www.tenable.com/security/tns-2019-09",
"refsource": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073139 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073149 [11/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210330 svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3Ccvs.httpd.apache.org%3E"
},
{
"name": "[httpd-cvs] 20210606 svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-3167",
"datePublished": "2017-06-20T01:00:00",
"dateReserved": "2016-12-05T00:00:00",
"dateUpdated": "2024-08-05T14:16:28.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-10708
Vulnerability from cvelistv5
Published
2018-01-21 22:00
Modified
2024-08-06 03:30
Severity ?
EPSS score ?
Summary
sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.openssh.com/releasenotes.html | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20180423-0003/ | x_refsource_CONFIRM | |
| https://lists.debian.org/debian-lts-announce/2018/01/msg00031.html | mailing-list, x_refsource_MLIST | |
| https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737 | x_refsource_MISC | |
| https://usn.ubuntu.com/3809-1/ | vendor-advisory, x_refsource_UBUNTU | |
| http://www.securityfocus.com/bid/102780 | vdb-entry, x_refsource_BID | |
| https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html | mailing-list, x_refsource_MLIST | |
| http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html | x_refsource_MISC | |
| https://kc.mcafee.com/corporate/index?page=content&id=SB10284 | x_refsource_CONFIRM | |
| https://support.f5.com/csp/article/K32485746?utm_source=f5support&%3Butm_medium=RSS | x_refsource_CONFIRM | |
| https://cert-portal.siemens.com/productcert/pdf/ssa-676336.pdf | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:30:20.218Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openssh.com/releasenotes.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180423-0003/"
},
{
"name": "[debian-lts-announce] 20180126 [SECURITY] [DLA 1257-1] openssh security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00031.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737"
},
{
"name": "USN-3809-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3809-1/"
},
{
"name": "102780",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102780"
},
{
"name": "[debian-lts-announce] 20180910 [SECURITY] [DLA 1500-1] openssh security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10284"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://support.f5.com/csp/article/K32485746?utm_source=f5support\u0026amp%3Butm_medium=RSS"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-676336.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-14T12:06:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openssh.com/releasenotes.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180423-0003/"
},
{
"name": "[debian-lts-announce] 20180126 [SECURITY] [DLA 1257-1] openssh security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00031.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737"
},
{
"name": "USN-3809-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3809-1/"
},
{
"name": "102780",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102780"
},
{
"name": "[debian-lts-announce] 20180910 [SECURITY] [DLA 1500-1] openssh security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10284"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://support.f5.com/csp/article/K32485746?utm_source=f5support\u0026amp%3Butm_medium=RSS"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-676336.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10708",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openssh.com/releasenotes.html",
"refsource": "MISC",
"url": "https://www.openssh.com/releasenotes.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180423-0003/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180423-0003/"
},
{
"name": "[debian-lts-announce] 20180126 [SECURITY] [DLA 1257-1] openssh security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00031.html"
},
{
"name": "https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737",
"refsource": "MISC",
"url": "https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737"
},
{
"name": "USN-3809-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3809-1/"
},
{
"name": "102780",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102780"
},
{
"name": "[debian-lts-announce] 20180910 [SECURITY] [DLA 1500-1] openssh security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html"
},
{
"name": "http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html",
"refsource": "MISC",
"url": "http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10284",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10284"
},
{
"name": "https://support.f5.com/csp/article/K32485746?utm_source=f5support\u0026amp;utm_medium=RSS",
"refsource": "CONFIRM",
"url": "https://support.f5.com/csp/article/K32485746?utm_source=f5support\u0026amp;utm_medium=RSS"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-676336.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-676336.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10708",
"datePublished": "2018-01-21T22:00:00",
"dateReserved": "2018-01-21T00:00:00",
"dateUpdated": "2024-08-06T03:30:20.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23233
Vulnerability from cvelistv5
Published
2022-03-04 17:22
Modified
2024-08-03 03:36
Severity ?
EPSS score ?
Summary
StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could lead to Denial of Service (DoS) of the Local Distribution Router (LDR) service.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security.netapp.com/advisory/NTAP-20220303-0010/ | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | StorageGRID (formerly StorageGRID Webscale) |
Version: Prior to 11.6.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:36:20.451Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/NTAP-20220303-0010/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "StorageGRID (formerly StorageGRID Webscale)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Prior to 11.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could lead to Denial of Service (DoS) of the Local Distribution Router (LDR) service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Denial of Service",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-04T17:22:54",
"orgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"shortName": "netapp"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.netapp.com/advisory/NTAP-20220303-0010/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-alert@netapp.com",
"ID": "CVE-2022-23233",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "StorageGRID (formerly StorageGRID Webscale)",
"version": {
"version_data": [
{
"version_value": "Prior to 11.6.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could lead to Denial of Service (DoS) of the Local Distribution Router (LDR) service."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.netapp.com/advisory/NTAP-20220303-0010/",
"refsource": "MISC",
"url": "https://security.netapp.com/advisory/NTAP-20220303-0010/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"assignerShortName": "netapp",
"cveId": "CVE-2022-23233",
"datePublished": "2022-03-04T17:22:54",
"dateReserved": "2022-01-14T00:00:00",
"dateUpdated": "2024-08-03T03:36:20.451Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-23806
Vulnerability from cvelistv5
Published
2022-02-11 00:00
Modified
2024-08-03 03:51
Severity ?
EPSS score ?
Summary
Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.994Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[debian-lts-announce] 20220428 [SECURITY] [DLA 2985-1] golang-1.7 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html"
},
{
"name": "[debian-lts-announce] 20220428 [SECURITY] [DLA 2986-1] golang-1.8 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220225-0006/"
},
{
"name": "GLSA-202208-02",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-02"
},
{
"name": "[debian-lts-announce] 20230419 [SECURITY] [DLA 3395-1] golang-1.11 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-19T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[debian-lts-announce] 20220428 [SECURITY] [DLA 2985-1] golang-1.7 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html"
},
{
"name": "[debian-lts-announce] 20220428 [SECURITY] [DLA 2986-1] golang-1.8 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220225-0006/"
},
{
"name": "GLSA-202208-02",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202208-02"
},
{
"name": "[debian-lts-announce] 20230419 [SECURITY] [DLA 3395-1] golang-1.11 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-23806",
"datePublished": "2022-02-11T00:00:00",
"dateReserved": "2022-01-21T00:00:00",
"dateUpdated": "2024-08-03T03:51:45.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-3427
Vulnerability from cvelistv5
Published
2016-04-21 10:00
Modified
2024-10-08 15:07
Severity ?
EPSS score ?
Summary
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T23:56:14.120Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openSUSE-SU-2016:1222",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00006.html"
},
{
"name": "RHSA-2016:0677",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0677.html"
},
{
"name": "SUSE-SU-2016:1299",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00039.html"
},
{
"name": "RHSA-2016:1039",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-1039.html"
},
{
"name": "RHSA-2016:0701",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0701.html"
},
{
"name": "USN-2972-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-2972-1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"name": "SUSE-SU-2016:1303",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00042.html"
},
{
"name": "1037331",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1037331"
},
{
"name": "SUSE-SU-2016:1475",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00002.html"
},
{
"name": "openSUSE-SU-2016:1235",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00012.html"
},
{
"name": "openSUSE-SU-2016:1262",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00026.html"
},
{
"name": "SUSE-SU-2016:1300",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00040.html"
},
{
"name": "RHSA-2016:0676",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0676.html"
},
{
"name": "RHSA-2016:1430",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2016:1430"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20160420-0001/"
},
{
"name": "RHSA-2016:0708",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0708.html"
},
{
"name": "RHSA-2016:0723",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0723.html"
},
{
"name": "RHSA-2016:0651",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0651.html"
},
{
"name": "SUSE-SU-2016:1378",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00058.html"
},
{
"name": "SUSE-SU-2016:1248",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00021.html"
},
{
"name": "SUSE-SU-2016:1379",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00059.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10159"
},
{
"name": "USN-2964-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-2964-1"
},
{
"name": "openSUSE-SU-2016:1230",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00009.html"
},
{
"name": "SUSE-SU-2016:1458",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00067.html"
},
{
"name": "GLSA-201606-18",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201606-18"
},
{
"name": "RHSA-2016:0716",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0716.html"
},
{
"name": "1035596",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1035596"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
},
{
"name": "openSUSE-SU-2016:1265",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00027.html"
},
{
"name": "USN-2963-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-2963-1"
},
{
"name": "RHSA-2016:0675",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0675.html"
},
{
"name": "SUSE-SU-2016:1250",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00022.html"
},
{
"name": "SUSE-SU-2016:1388",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00061.html"
},
{
"name": "RHSA-2016:0702",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0702.html"
},
{
"name": "RHSA-2016:0679",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0679.html"
},
{
"name": "RHSA-2017:1216",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1216"
},
{
"name": "DSA-3558",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3558"
},
{
"name": "RHSA-2016:0678",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0678.html"
},
{
"name": "86421",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/86421"
},
{
"name": "RHSA-2016:0650",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0650.html"
},
{
"name": "[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190319 svn commit: r1855831 [23/30] - in /tomcat/site/trunk: ./ docs/ xdocs/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190325 svn commit: r1856174 [21/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190413 svn commit: r1857494 [15/20] - in /tomcat/site/trunk: ./ docs/ xdocs/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190415 svn commit: r1857582 [16/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20200203 svn commit: r1873527 [23/30] - /tomcat/site/trunk/docs/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20200213 svn commit: r1873980 [26/34] - /tomcat/site/trunk/docs/",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[cassandra-user] 20200831 CVE-2016-3427 Apache Cassandra Unspecified vulnerability related to JMX",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc3abf40b06c511d5693baf707d6444bf7745e6a1e343e6f530a12258%40%3Cuser.cassandra.apache.org%3E"
},
{
"name": "[cassandra-dev] 20200831 CVE-2016-3427 Apache Cassandra Unspecified vulnerability related to JMX",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5f48b16573a11fdf0b557cc3d1d71423ecde8ee771c29f32334fa948%40%3Cdev.cassandra.apache.org%3E"
},
{
"name": "[oss-security] 20200831 CVE-2016-3427 Apache Cassandra Unspecified vulnerability related to JMX",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2020/08/31/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2016-3427",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T15:06:35.308318Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2023-05-12",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2016-3427"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T15:07:05.221Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-04-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-01T02:06:09",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"name": "openSUSE-SU-2016:1222",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00006.html"
},
{
"name": "RHSA-2016:0677",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0677.html"
},
{
"name": "SUSE-SU-2016:1299",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00039.html"
},
{
"name": "RHSA-2016:1039",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-1039.html"
},
{
"name": "RHSA-2016:0701",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0701.html"
},
{
"name": "USN-2972-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-2972-1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"name": "SUSE-SU-2016:1303",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00042.html"
},
{
"name": "1037331",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1037331"
},
{
"name": "SUSE-SU-2016:1475",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00002.html"
},
{
"name": "openSUSE-SU-2016:1235",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00012.html"
},
{
"name": "openSUSE-SU-2016:1262",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00026.html"
},
{
"name": "SUSE-SU-2016:1300",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00040.html"
},
{
"name": "RHSA-2016:0676",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0676.html"
},
{
"name": "RHSA-2016:1430",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2016:1430"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20160420-0001/"
},
{
"name": "RHSA-2016:0708",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0708.html"
},
{
"name": "RHSA-2016:0723",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0723.html"
},
{
"name": "RHSA-2016:0651",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0651.html"
},
{
"name": "SUSE-SU-2016:1378",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00058.html"
},
{
"name": "SUSE-SU-2016:1248",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00021.html"
},
{
"name": "SUSE-SU-2016:1379",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00059.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10159"
},
{
"name": "USN-2964-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-2964-1"
},
{
"name": "openSUSE-SU-2016:1230",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00009.html"
},
{
"name": "SUSE-SU-2016:1458",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00067.html"
},
{
"name": "GLSA-201606-18",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201606-18"
},
{
"name": "RHSA-2016:0716",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0716.html"
},
{
"name": "1035596",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1035596"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
},
{
"name": "openSUSE-SU-2016:1265",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00027.html"
},
{
"name": "USN-2963-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-2963-1"
},
{
"name": "RHSA-2016:0675",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0675.html"
},
{
"name": "SUSE-SU-2016:1250",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00022.html"
},
{
"name": "SUSE-SU-2016:1388",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00061.html"
},
{
"name": "RHSA-2016:0702",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0702.html"
},
{
"name": "RHSA-2016:0679",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0679.html"
},
{
"name": "RHSA-2017:1216",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1216"
},
{
"name": "DSA-3558",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3558"
},
{
"name": "RHSA-2016:0678",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0678.html"
},
{
"name": "86421",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/86421"
},
{
"name": "RHSA-2016:0650",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0650.html"
},
{
"name": "[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190319 svn commit: r1855831 [23/30] - in /tomcat/site/trunk: ./ docs/ xdocs/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190325 svn commit: r1856174 [21/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190413 svn commit: r1857494 [15/20] - in /tomcat/site/trunk: ./ docs/ xdocs/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190415 svn commit: r1857582 [16/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20200203 svn commit: r1873527 [23/30] - /tomcat/site/trunk/docs/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20200213 svn commit: r1873980 [26/34] - /tomcat/site/trunk/docs/",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[cassandra-user] 20200831 CVE-2016-3427 Apache Cassandra Unspecified vulnerability related to JMX",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc3abf40b06c511d5693baf707d6444bf7745e6a1e343e6f530a12258%40%3Cuser.cassandra.apache.org%3E"
},
{
"name": "[cassandra-dev] 20200831 CVE-2016-3427 Apache Cassandra Unspecified vulnerability related to JMX",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5f48b16573a11fdf0b557cc3d1d71423ecde8ee771c29f32334fa948%40%3Cdev.cassandra.apache.org%3E"
},
{
"name": "[oss-security] 20200831 CVE-2016-3427 Apache Cassandra Unspecified vulnerability related to JMX",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2020/08/31/1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2016-3427",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "openSUSE-SU-2016:1222",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00006.html"
},
{
"name": "RHSA-2016:0677",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0677.html"
},
{
"name": "SUSE-SU-2016:1299",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00039.html"
},
{
"name": "RHSA-2016:1039",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1039.html"
},
{
"name": "RHSA-2016:0701",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0701.html"
},
{
"name": "USN-2972-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-2972-1"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"name": "SUSE-SU-2016:1303",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00042.html"
},
{
"name": "1037331",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1037331"
},
{
"name": "SUSE-SU-2016:1475",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00002.html"
},
{
"name": "openSUSE-SU-2016:1235",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00012.html"
},
{
"name": "openSUSE-SU-2016:1262",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00026.html"
},
{
"name": "SUSE-SU-2016:1300",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00040.html"
},
{
"name": "RHSA-2016:0676",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0676.html"
},
{
"name": "RHSA-2016:1430",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2016:1430"
},
{
"name": "https://security.netapp.com/advisory/ntap-20160420-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20160420-0001/"
},
{
"name": "RHSA-2016:0708",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0708.html"
},
{
"name": "RHSA-2016:0723",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0723.html"
},
{
"name": "RHSA-2016:0651",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0651.html"
},
{
"name": "SUSE-SU-2016:1378",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00058.html"
},
{
"name": "SUSE-SU-2016:1248",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00021.html"
},
{
"name": "SUSE-SU-2016:1379",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00059.html"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10159",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10159"
},
{
"name": "USN-2964-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-2964-1"
},
{
"name": "openSUSE-SU-2016:1230",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00009.html"
},
{
"name": "SUSE-SU-2016:1458",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00067.html"
},
{
"name": "GLSA-201606-18",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201606-18"
},
{
"name": "RHSA-2016:0716",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0716.html"
},
{
"name": "1035596",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1035596"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
},
{
"name": "openSUSE-SU-2016:1265",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00027.html"
},
{
"name": "USN-2963-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-2963-1"
},
{
"name": "RHSA-2016:0675",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0675.html"
},
{
"name": "SUSE-SU-2016:1250",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00022.html"
},
{
"name": "SUSE-SU-2016:1388",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00061.html"
},
{
"name": "RHSA-2016:0702",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0702.html"
},
{
"name": "RHSA-2016:0679",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0679.html"
},
{
"name": "RHSA-2017:1216",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1216"
},
{
"name": "DSA-3558",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3558"
},
{
"name": "RHSA-2016:0678",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0678.html"
},
{
"name": "86421",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/86421"
},
{
"name": "RHSA-2016:0650",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0650.html"
},
{
"name": "[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190319 svn commit: r1855831 [23/30] - in /tomcat/site/trunk: ./ docs/ xdocs/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190325 svn commit: r1856174 [21/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190413 svn commit: r1857494 [15/20] - in /tomcat/site/trunk: ./ docs/ xdocs/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20190415 svn commit: r1857582 [16/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20200203 svn commit: r1873527 [23/30] - /tomcat/site/trunk/docs/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20200213 svn commit: r1873980 [26/34] - /tomcat/site/trunk/docs/",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[cassandra-user] 20200831 CVE-2016-3427 Apache Cassandra Unspecified vulnerability related to JMX",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc3abf40b06c511d5693baf707d6444bf7745e6a1e343e6f530a12258@%3Cuser.cassandra.apache.org%3E"
},
{
"name": "[cassandra-dev] 20200831 CVE-2016-3427 Apache Cassandra Unspecified vulnerability related to JMX",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5f48b16573a11fdf0b557cc3d1d71423ecde8ee771c29f32334fa948@%3Cdev.cassandra.apache.org%3E"
},
{
"name": "[oss-security] 20200831 CVE-2016-3427 Apache Cassandra Unspecified vulnerability related to JMX",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2020/08/31/1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2016-3427",
"datePublished": "2016-04-21T10:00:00",
"dateReserved": "2016-03-17T00:00:00",
"dateUpdated": "2024-10-08T15:07:05.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14664
Vulnerability from cvelistv5
Published
2020-07-15 17:34
Modified
2024-09-27 18:25
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE product of Oracle Java SE (component: JavaFX). The supported version that is affected is Java SE: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.oracle.com/security-alerts/cpujul2020.html | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20200717-0005/ | x_refsource_CONFIRM | |
| https://www.zerodayinitiative.com/advisories/ZDI-20-897/ | x_refsource_MISC | |
| https://security.gentoo.org/glsa/202209-15 | vendor-advisory, x_refsource_GENTOO |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 8u251 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:53:42.545Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-897/"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-14664",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T17:54:50.939497Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T18:25:29.065Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 8u251"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE product of Oracle Java SE (component: JavaFX). The supported version that is affected is Java SE: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-25T15:06:52",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-897/"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-14664",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 8u251"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE product of Oracle Java SE (component: JavaFX). The supported version that is affected is Java SE: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)."
}
]
},
"impact": {
"cvss": {
"baseScore": "8.3",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200717-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-20-897/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-897/"
},
{
"name": "GLSA-202209-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202209-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-14664",
"datePublished": "2020-07-15T17:34:32",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-09-27T18:25:29.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14578
Vulnerability from cvelistv5
Published
2020-07-15 17:34
Modified
2024-09-27 18:38
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 7u261, 8u251 Version: Java SE Embedded: 8u251 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.793Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "DSA-4734",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "GLSA-202008-24",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202008-24"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "openSUSE-SU-2020:1893",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-14578",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T17:58:55.382224Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T18:38:05.115Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 7u261, 8u251"
},
{
"status": "affected",
"version": "Java SE Embedded: 8u251"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-25T15:06:28",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "DSA-4734",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "GLSA-202008-24",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202008-24"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "openSUSE-SU-2020:1893",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-14578",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 7u261, 8u251"
},
{
"version_affected": "=",
"version_value": "Java SE Embedded: 8u251"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
]
},
"impact": {
"cvss": {
"baseScore": "3.7",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200717-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "DSA-4734",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "GLSA-202008-24",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202008-24"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "openSUSE-SU-2020:1893",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202209-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-14578",
"datePublished": "2020-07-15T17:34:28",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-09-27T18:38:05.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-34798
Vulnerability from cvelistv5
Published
2021-09-16 14:40
Modified
2024-08-04 00:26
Severity ?
EPSS score ?
Summary
NULL pointer dereference in httpd core
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Apache Software Foundation | Apache HTTP Server |
Version: Apache HTTP Server 2.4 < |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:26:54.014Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "FEDORA-2021-dce7e7738e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"
},
{
"name": "[httpd-users] 20210923 [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "FEDORA-2021-e3f6dd670d",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"
},
{
"name": "[debian-lts-announce] 20211002 [SECURITY] [DLA 2776-1] apache2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html"
},
{
"name": "DSA-4982",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"name": "20211124 Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2021-17"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211008-0004/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10379"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf"
},
{
"name": "GLSA-202208-20",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-20"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache HTTP Server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.4.48",
"status": "affected",
"version": "Apache HTTP Server 2.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "The issue was discovered by the Apache HTTP security team"
}
],
"descriptions": [
{
"lang": "en",
"value": "Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476 NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-14T01:07:32",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "FEDORA-2021-dce7e7738e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"
},
{
"name": "[httpd-users] 20210923 [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E"
},
{
"name": "FEDORA-2021-e3f6dd670d",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"
},
{
"name": "[debian-lts-announce] 20211002 [SECURITY] [DLA 2776-1] apache2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html"
},
{
"name": "DSA-4982",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"name": "20211124 Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.tenable.com/security/tns-2021-17"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20211008-0004/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10379"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf"
},
{
"name": "GLSA-202208-20",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-20"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2021-09-16T00:00:00",
"value": "2.4.49 released"
}
],
"title": "NULL pointer dereference in httpd core",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-34798",
"STATE": "PUBLIC",
"TITLE": "NULL pointer dereference in httpd core"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache HTTP Server",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache HTTP Server 2.4",
"version_value": "2.4.48"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "The issue was discovered by the Apache HTTP security team"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-476 NULL Pointer Dereference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://httpd.apache.org/security/vulnerabilities_24.html",
"refsource": "MISC",
"url": "http://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"name": "FEDORA-2021-dce7e7738e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/"
},
{
"name": "[httpd-users] 20210923 [users@httpd] 2.4.49 security fixes: more info",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] 2.4.49 security fixes: more info",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3Cusers.httpd.apache.org%3E"
},
{
"name": "[httpd-users] 20210923 Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3Cusers.httpd.apache.org%3E"
},
{
"name": "FEDORA-2021-e3f6dd670d",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/"
},
{
"name": "[debian-lts-announce] 20211002 [SECURITY] [DLA 2776-1] apache2 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html"
},
{
"name": "DSA-4982",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"name": "20211124 Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.tenable.com/security/tns-2021-17",
"refsource": "CONFIRM",
"url": "https://www.tenable.com/security/tns-2021-17"
},
{
"name": "https://security.netapp.com/advisory/ntap-20211008-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20211008-0004/"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10379",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10379"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf"
},
{
"name": "GLSA-202208-20",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-20"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2021-09-16T00:00:00",
"value": "2.4.49 released"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-34798",
"datePublished": "2021-09-16T14:40:17",
"dateReserved": "2021-06-16T00:00:00",
"dateUpdated": "2024-08-04T00:26:54.014Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-27318
Vulnerability from cvelistv5
Published
2024-02-05 20:35
Modified
2024-08-02 12:09
Severity ?
EPSS score ?
Summary
Denial of Service Vulnerability in StorageGRID (formerly StorageGRID Webscale)
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | NetApp | StorageGRID (formerly StorageGRID Webscale) |
Version: 11.6.0 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27318",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-06T19:28:50.153136Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:22:55.683Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:09:42.409Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20240202-0012/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/NTAP-20240202-0012/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "StorageGRID (formerly StorageGRID Webscale) ",
"vendor": "NetApp",
"versions": [
{
"lessThanOrEqual": "11.6.0.13",
"status": "affected",
"version": "11.6.0",
"versionType": "patch"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "StorageGRID (formerly StorageGRID Webscale) versions 11.6.0 through \n11.6.0.13 are susceptible to a Denial of Service (DoS) vulnerability. A \nsuccessful exploit could lead to a crash of the Local Distribution \nRouter (LDR) service.\n\n"
}
],
"value": "StorageGRID (formerly StorageGRID Webscale) versions 11.6.0 through \n11.6.0.13 are susceptible to a Denial of Service (DoS) vulnerability. A \nsuccessful exploit could lead to a crash of the Local Distribution \nRouter (LDR) service.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-05T20:35:27.521Z",
"orgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"shortName": "netapp"
},
"references": [
{
"url": "https://security.netapp.com/advisory/NTAP-20240202-0012/"
}
],
"source": {
"advisory": "NTAP-20240202-0012",
"discovery": "UNKNOWN"
},
"title": "Denial of Service Vulnerability in StorageGRID (formerly StorageGRID Webscale) ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"assignerShortName": "netapp",
"cveId": "CVE-2023-27318",
"datePublished": "2024-02-05T20:35:27.521Z",
"dateReserved": "2023-02-28T17:20:57.462Z",
"dateUpdated": "2024-08-02T12:09:42.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-2581
Vulnerability from cvelistv5
Published
2018-01-18 02:00
Modified
2024-10-03 20:44
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are Java SE: 7u161, 8u152 and 9.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N).
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/102636 | vdb-entry, x_refsource_BID | |
| https://security.netapp.com/advisory/ntap-20180117-0001/ | x_refsource_CONFIRM | |
| https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2018:1812 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2018:0099 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2018:1463 | vendor-advisory, x_refsource_REDHAT | |
| http://www.securitytracker.com/id/1040203 | vdb-entry, x_refsource_SECTRACK | |
| https://access.redhat.com/errata/RHSA-2018:0100 | vendor-advisory, x_refsource_REDHAT |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:21:34.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"name": "102636",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102636"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180117-0001/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
},
{
"name": "RHSA-2018:1812",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1812"
},
{
"name": "RHSA-2018:0099",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0099"
},
{
"name": "RHSA-2018:1463",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1463"
},
{
"name": "1040203",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040203"
},
{
"name": "RHSA-2018:0100",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0100"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-2581",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T19:22:58.349584Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T20:44:55.063Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are Java SE: 7u161, 8u152 and 9.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-11-30T20:57:01",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"name": "102636",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102636"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180117-0001/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
},
{
"name": "RHSA-2018:1812",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1812"
},
{
"name": "RHSA-2018:0099",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0099"
},
{
"name": "RHSA-2018:1463",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1463"
},
{
"name": "1040203",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040203"
},
{
"name": "RHSA-2018:0100",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0100"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2018-2581",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are Java SE: 7u161, 8u152 and 9.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"name": "102636",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102636"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180117-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180117-0001/"
},
{
"name": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0",
"refsource": "CONFIRM",
"url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
},
{
"name": "RHSA-2018:1812",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1812"
},
{
"name": "RHSA-2018:0099",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:0099"
},
{
"name": "RHSA-2018:1463",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1463"
},
{
"name": "1040203",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040203"
},
{
"name": "RHSA-2018:0100",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:0100"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2018-2581",
"datePublished": "2018-01-18T02:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-10-03T20:44:55.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14581
Vulnerability from cvelistv5
Published
2020-07-15 17:34
Modified
2024-09-27 18:37
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 8u251, 11.0.7, 14.0.1 Version: Java SE Embedded: 8u251 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:53:41.868Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "FEDORA-2020-5d0b4a2b5b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/"
},
{
"name": "USN-4433-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4433-1/"
},
{
"name": "DSA-4734",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "FEDORA-2020-93cc9c3ef2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/"
},
{
"name": "openSUSE-SU-2020:1175",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1191",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "openSUSE-SU-2020:1893",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-14581",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T17:58:50.930753Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T18:37:38.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 8u251, 11.0.7, 14.0.1"
},
{
"status": "affected",
"version": "Java SE Embedded: 8u251"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-25T15:06:46",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "FEDORA-2020-5d0b4a2b5b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/"
},
{
"name": "USN-4433-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4433-1/"
},
{
"name": "DSA-4734",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "FEDORA-2020-93cc9c3ef2",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/"
},
{
"name": "openSUSE-SU-2020:1175",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1191",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "openSUSE-SU-2020:1893",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-14581",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 8u251, 11.0.7, 14.0.1"
},
{
"version_affected": "=",
"version_value": "Java SE Embedded: 8u251"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)."
}
]
},
"impact": {
"cvss": {
"baseScore": "3.7",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200717-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200717-0005/"
},
{
"name": "FEDORA-2020-e418151dc3",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/"
},
{
"name": "FEDORA-2020-5d0b4a2b5b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/"
},
{
"name": "USN-4433-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4433-1/"
},
{
"name": "DSA-4734",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4734"
},
{
"name": "FEDORA-2020-508df53719",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/"
},
{
"name": "FEDORA-2020-93cc9c3ef2",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/"
},
{
"name": "openSUSE-SU-2020:1175",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html"
},
{
"name": "openSUSE-SU-2020:1191",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20200813 [SECURITY] [DLA 2325-1] openjdk-8 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html"
},
{
"name": "USN-4453-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4453-1/"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "openSUSE-SU-2020:1893",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html"
},
{
"name": "GLSA-202209-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202209-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-14581",
"datePublished": "2020-07-15T17:34:28",
"dateReserved": "2020-06-19T00:00:00",
"dateUpdated": "2024-09-27T18:37:38.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-2816
Vulnerability from cvelistv5
Published
2020-04-15 13:29
Modified
2024-09-27 19:08
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.oracle.com/security-alerts/cpuapr2020.html | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20200416-0004/ | x_refsource_CONFIRM | |
| https://www.debian.org/security/2020/dsa-4662 | vendor-advisory, x_refsource_DEBIAN | |
| https://usn.ubuntu.com/4337-1/ | vendor-advisory, x_refsource_UBUNTU | |
| http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html | vendor-advisory, x_refsource_SUSE |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 11.0.6, 14 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:17:02.771Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-2816",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T17:54:00.321524Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T19:08:23.886Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 11.0.6, 14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-02T14:06:12",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-2816",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 11.0.6, 14"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)."
}
]
},
"impact": {
"cvss": {
"baseScore": "7.5",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200416-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "openSUSE-SU-2020:0757",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-2816",
"datePublished": "2020-04-15T13:29:47",
"dateReserved": "2019-12-10T00:00:00",
"dateUpdated": "2024-09-27T19:08:23.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-2627
Vulnerability from cvelistv5
Published
2018-01-18 02:00
Modified
2024-08-05 04:21
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Installer). Supported versions that are affected are Java SE: 8u152 and 9.0.1. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to the Windows installer only. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H).
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html | x_refsource_CONFIRM | |
| https://security.netapp.com/advisory/ntap-20180117-0001/ | x_refsource_CONFIRM | |
| https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2018:0099 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2018:1463 | vendor-advisory, x_refsource_REDHAT | |
| http://www.securityfocus.com/bid/102584 | vdb-entry, x_refsource_BID | |
| http://www.securitytracker.com/id/1040203 | vdb-entry, x_refsource_SECTRACK |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:21:34.413Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20180117-0001/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
},
{
"name": "RHSA-2018:0099",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0099"
},
{
"name": "RHSA-2018:1463",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1463"
},
{
"name": "102584",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102584"
},
{
"name": "1040203",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1040203"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Installer). Supported versions that are affected are Java SE: 8u152 and 9.0.1. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to the Windows installer only. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-11-30T20:57:01",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20180117-0001/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
},
{
"name": "RHSA-2018:0099",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:0099"
},
{
"name": "RHSA-2018:1463",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1463"
},
{
"name": "102584",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102584"
},
{
"name": "1040203",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1040203"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2018-2627",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Installer). Supported versions that are affected are Java SE: 8u152 and 9.0.1. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to the Windows installer only. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20180117-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20180117-0001/"
},
{
"name": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0",
"refsource": "CONFIRM",
"url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0"
},
{
"name": "RHSA-2018:0099",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:0099"
},
{
"name": "RHSA-2018:1463",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1463"
},
{
"name": "102584",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102584"
},
{
"name": "1040203",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1040203"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2018-2627",
"datePublished": "2018-01-18T02:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-08-05T04:21:34.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-2757
Vulnerability from cvelistv5
Published
2020-04-15 13:29
Modified
2024-09-30 15:41
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 7u251, 8u241, 11.0.6, 14 Version: Java SE Embedded: 8u241 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:17:02.624Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-2757",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T15:00:05.581818Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:41:34.588Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 7u251, 8u241, 11.0.6, 14"
},
{
"status": "affected",
"version": "Java SE Embedded: 8u241"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-25T15:06:31",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "GLSA-202209-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202209-15"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-2757",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 7u251, 8u241, 11.0.6, 14"
},
{
"version_affected": "=",
"version_value": "Java SE Embedded: 8u241"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
]
},
"impact": {
"cvss": {
"baseScore": "3.7",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200416-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "[debian-lts-announce] 20200429 [SECURITY] [DLA 2193-1] openjdk-7 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"name": "DSA-4668",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "GLSA-202006-22",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"name": "openSUSE-SU-2020:0841",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "GLSA-202209-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202209-15"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-2757",
"datePublished": "2020-04-15T13:29:44",
"dateReserved": "2019-12-10T00:00:00",
"dateUpdated": "2024-09-30T15:41:34.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-2754
Vulnerability from cvelistv5
Published
2020-04-15 13:29
Modified
2024-09-30 15:42
Severity ?
EPSS score ?
Summary
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Oracle Corporation | Java |
Version: Java SE: 8u241, 11.0.6, 14 Version: Java SE Embedded: 8u241 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T07:17:02.636Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "DSA-4668",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-2754",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T15:00:12.324367Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T15:42:05.656Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Java",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Java SE: 8u241, 11.0.6, 14"
},
{
"status": "affected",
"version": "Java SE Embedded: 8u241"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-14T07:06:11",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "DSA-4668",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "openSUSE-SU-2020:0841",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert_us@oracle.com",
"ID": "CVE-2020-2754",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Java",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "Java SE: 8u241, 11.0.6, 14"
},
{
"version_affected": "=",
"version_value": "Java SE Embedded: 8u241"
}
]
}
}
]
},
"vendor_name": "Oracle Corporation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
]
},
"impact": {
"cvss": {
"baseScore": "3.7",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200416-0004/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"name": "DSA-4662",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"name": "USN-4337-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"name": "DSA-4668",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"name": "FEDORA-2020-5386fe3bbb",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/"
},
{
"name": "FEDORA-2020-21ca991b3b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/"
},
{
"name": "FEDORA-2020-a60ad9d4ec",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/"
},
{
"name": "openSUSE-SU-2020:0757",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"name": "openSUSE-SU-2020:0800",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"name": "openSUSE-SU-2020:0841",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2020-2754",
"datePublished": "2020-04-15T13:29:44",
"dateReserved": "2019-12-10T00:00:00",
"dateUpdated": "2024-09-30T15:42:05.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
var-201706-0272
Vulnerability from variot
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Apache httpd Contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Apache HTTP Server is prone to an authentication bypass vulnerability. An attacker can exploit this issue to bypass authentication mechanism and perform unauthorized actions. This may lead to further attacks. The following versions are vulnerable: Apache HTTP Server 2.2.0 to 2.2.32 Apache HTTP Server 2.4.0 to 2.4.25. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.
This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 3 serves as an update to Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2, and includes bug fixes, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
- An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak. JIRA issues fixed (https://issues.jboss.org/):
JBCS-403 - Errata for httpd 2.4.23.SP3 RHEL6
-
(CVE-2017-7679)
-
A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. (CVE-2017-9798)
Red Hat would like to thank Hanno BAPck for reporting CVE-2017-9798. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Important: httpd security update Advisory ID: RHSA-2017:2478-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2017:2478 Issue date: 2017-08-15 CVE Names: CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 =====================================================================
- Summary:
An update for httpd is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64
Security Fix(es):
-
It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-3167)
-
A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. (CVE-2017-3169)
-
A buffer over-read flaw was found in the httpd's mod_mime module. A user permitted to modify httpd's MIME configuration could use this flaw to cause httpd child process to crash. (CVE-2017-7679)
-
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon will be restarted automatically.
- Bugs fixed (https://bugzilla.redhat.com/):
1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass 1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference 1463207 - CVE-2017-7679 httpd: mod_mime buffer overread 1470748 - CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest
- Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source: httpd-2.2.15-60.el6_9.5.src.rpm
i386: httpd-2.2.15-60.el6_9.5.i686.rpm httpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm httpd-tools-2.2.15-60.el6_9.5.i686.rpm
x86_64: httpd-2.2.15-60.el6_9.5.x86_64.rpm httpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm httpd-tools-2.2.15-60.el6_9.5.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386: httpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm httpd-devel-2.2.15-60.el6_9.5.i686.rpm mod_ssl-2.2.15-60.el6_9.5.i686.rpm
noarch: httpd-manual-2.2.15-60.el6_9.5.noarch.rpm
x86_64: httpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm httpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm httpd-devel-2.2.15-60.el6_9.5.i686.rpm httpd-devel-2.2.15-60.el6_9.5.x86_64.rpm mod_ssl-2.2.15-60.el6_9.5.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source: httpd-2.2.15-60.el6_9.5.src.rpm
x86_64: httpd-2.2.15-60.el6_9.5.x86_64.rpm httpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm httpd-tools-2.2.15-60.el6_9.5.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
noarch: httpd-manual-2.2.15-60.el6_9.5.noarch.rpm
x86_64: httpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm httpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm httpd-devel-2.2.15-60.el6_9.5.i686.rpm httpd-devel-2.2.15-60.el6_9.5.x86_64.rpm mod_ssl-2.2.15-60.el6_9.5.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source: httpd-2.2.15-60.el6_9.5.src.rpm
i386: httpd-2.2.15-60.el6_9.5.i686.rpm httpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm httpd-devel-2.2.15-60.el6_9.5.i686.rpm httpd-tools-2.2.15-60.el6_9.5.i686.rpm mod_ssl-2.2.15-60.el6_9.5.i686.rpm
noarch: httpd-manual-2.2.15-60.el6_9.5.noarch.rpm
ppc64: httpd-2.2.15-60.el6_9.5.ppc64.rpm httpd-debuginfo-2.2.15-60.el6_9.5.ppc.rpm httpd-debuginfo-2.2.15-60.el6_9.5.ppc64.rpm httpd-devel-2.2.15-60.el6_9.5.ppc.rpm httpd-devel-2.2.15-60.el6_9.5.ppc64.rpm httpd-tools-2.2.15-60.el6_9.5.ppc64.rpm mod_ssl-2.2.15-60.el6_9.5.ppc64.rpm
s390x: httpd-2.2.15-60.el6_9.5.s390x.rpm httpd-debuginfo-2.2.15-60.el6_9.5.s390.rpm httpd-debuginfo-2.2.15-60.el6_9.5.s390x.rpm httpd-devel-2.2.15-60.el6_9.5.s390.rpm httpd-devel-2.2.15-60.el6_9.5.s390x.rpm httpd-tools-2.2.15-60.el6_9.5.s390x.rpm mod_ssl-2.2.15-60.el6_9.5.s390x.rpm
x86_64: httpd-2.2.15-60.el6_9.5.x86_64.rpm httpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm httpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm httpd-devel-2.2.15-60.el6_9.5.i686.rpm httpd-devel-2.2.15-60.el6_9.5.x86_64.rpm httpd-tools-2.2.15-60.el6_9.5.x86_64.rpm mod_ssl-2.2.15-60.el6_9.5.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source: httpd-2.2.15-60.el6_9.5.src.rpm
i386: httpd-2.2.15-60.el6_9.5.i686.rpm httpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm httpd-devel-2.2.15-60.el6_9.5.i686.rpm httpd-tools-2.2.15-60.el6_9.5.i686.rpm mod_ssl-2.2.15-60.el6_9.5.i686.rpm
noarch: httpd-manual-2.2.15-60.el6_9.5.noarch.rpm
x86_64: httpd-2.2.15-60.el6_9.5.x86_64.rpm httpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm httpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm httpd-devel-2.2.15-60.el6_9.5.i686.rpm httpd-devel-2.2.15-60.el6_9.5.x86_64.rpm httpd-tools-2.2.15-60.el6_9.5.x86_64.rpm mod_ssl-2.2.15-60.el6_9.5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2017-3167 https://access.redhat.com/security/cve/CVE-2017-3169 https://access.redhat.com/security/cve/CVE-2017-7679 https://access.redhat.com/security/cve/CVE-2017-9788 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iD8DBQFZkzq3XlSAg2UNWIIRAjxIAJ9JoJcSMguc2VTpgJl2P5BGoM2IrACfXd/8 Jxb2g1bdehw6Jjq0qF13AEM= =ZvYI -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Solution:
The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files)
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201706-0272",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "enterprise linux server tus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.7"
},
{
"model": "enterprise linux workstation",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.0"
},
{
"model": "enterprise linux eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.2"
},
{
"model": "enterprise linux eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.6"
},
{
"model": "http server",
"scope": "gte",
"trust": 1.0,
"vendor": "apache",
"version": "2.2.0"
},
{
"model": "enterprise linux eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.4"
},
{
"model": "enterprise linux server",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.0"
},
{
"model": "enterprise linux server tus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.2"
},
{
"model": "enterprise linux server tus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.6"
},
{
"model": "clustered data ontap",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "http server",
"scope": "lt",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.26"
},
{
"model": "enterprise linux server tus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.4"
},
{
"model": "enterprise linux eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.7"
},
{
"model": "enterprise linux eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.5"
},
{
"model": "enterprise linux server",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"model": "enterprise linux workstation",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "oncommand unified manager",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.7"
},
{
"model": "jboss core services",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "1.0"
},
{
"model": "storagegrid",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "enterprise linux eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.3"
},
{
"model": "http server",
"scope": "gte",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.0"
},
{
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.2"
},
{
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.6"
},
{
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.0"
},
{
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.4"
},
{
"model": "enterprise linux server tus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.3"
},
{
"model": "http server",
"scope": "lt",
"trust": 1.0,
"vendor": "apache",
"version": "2.2.33"
},
{
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "8.0"
},
{
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.3"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.1"
},
{
"model": "enterprise linux eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.7"
},
{
"model": "secure global desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "5.3"
},
{
"model": "jp1/automatic job management system 3",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "- manager web console"
},
{
"model": "jp1/integrated management",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "- service support starter edition"
},
{
"model": "jp1/it desktop management",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "2 - operations director"
},
{
"model": "web server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "- custom edition"
},
{
"model": "ucosminexus application server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "(64)"
},
{
"model": "ucosminexus application server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "express"
},
{
"model": "job management partner 1/integrated management",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "- service support"
},
{
"model": "web server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "none"
},
{
"model": "ucosminexus developer",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "professional for plug-in"
},
{
"model": "ucosminexus service platform",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "- messaging"
},
{
"model": "jp1/integrated management",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "- service support advanced edition"
},
{
"model": "job management partner 1/it desktop management",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "2 - smart device manager"
},
{
"model": "jp1/performance management",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "- web console"
},
{
"model": "ucosminexus developer standard",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ucosminexus service platform",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "(64)"
},
{
"model": "httpd",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": "2.4.26"
},
{
"model": "jp1/performance management",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "- manager"
},
{
"model": "jp1/it desktop management - manager",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "jp1/automatic operation",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ucosminexus developer",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "01"
},
{
"model": "job management partner 1/performance management - web console",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "job management partner 1/it desktop management",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "2 - manager"
},
{
"model": "ucosminexus developer light",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ucosminexus application server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "none"
},
{
"model": "jp1/it desktop management",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "2 - smart device manager"
},
{
"model": "application server for developers",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "jp1/integrated management",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "- service support"
},
{
"model": "ucosminexus primary server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "base"
},
{
"model": "ucosminexus application server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "st ard-r"
},
{
"model": "ucosminexus primary server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "base(64)"
},
{
"model": "job management partner 1/integrated management",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "- service support advanced edition"
},
{
"model": "ucosminexus service platform",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "none"
},
{
"model": "httpd",
"scope": "eq",
"trust": 0.8,
"vendor": "apache",
"version": "2.2.33"
},
{
"model": "it operations director",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "jp1/service support",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "none"
},
{
"model": "jp1/operations analytics",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "jp1/service support",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "starter edition"
},
{
"model": "cosminexus http server",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ucosminexus application server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "-r"
},
{
"model": "jp1/it desktop management",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "2 - manager"
},
{
"model": "job management partner 1/it desktop management - manager",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ucosminexus service architect",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ucosminexus application server enterprise",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "jp1/performance management",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "- manager web console"
},
{
"model": "spoolserver/winspool series",
"scope": "eq",
"trust": 0.8,
"vendor": "nec",
"version": "reportfiling ver5.2 ~ 6.2"
},
{
"model": "ucosminexus application server standard",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "web server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "- security edition"
},
{
"model": "ucosminexus developer",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "professional"
},
{
"model": "httpd",
"scope": "lt",
"trust": 0.8,
"vendor": "apache",
"version": "2.2.x"
},
{
"model": "ucosminexus developer",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "none"
},
{
"model": "ucosminexus application server smart edition",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "application server",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "httpd",
"scope": "lt",
"trust": 0.8,
"vendor": "apache",
"version": "2.4.x"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.2.0"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.2.31"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.2.30"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.2.24"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.2.25"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.2.29"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.2.22"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.2.23"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.2.26"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.2.27"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "17.04"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "16.10"
},
{
"model": "linux lts",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "16.04"
},
{
"model": "linux lts",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "14.04"
},
{
"model": "software collections for rhel",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "0"
},
{
"model": "jboss web server",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "0"
},
{
"model": "jboss ews",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "2"
},
{
"model": "jboss eap",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "jboss core services",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "1"
},
{
"model": "enterprise linux workstation",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "enterprise linux server",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "enterprise linux hpc node optional",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "enterprise linux hpc node",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "enterprise linux desktop optional",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "5.0"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "5"
},
{
"model": "i",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1"
},
{
"model": "i",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.3"
},
{
"model": "i",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.52"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.52"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.09"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.033"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.029"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.11"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.0.0.4"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.0.0.3"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.0.0.2"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.0.0.1"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.0"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.9"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.8"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.7"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.6"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.5"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.4"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.3"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.11"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.10"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.1"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.0.1"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.7"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.6"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.5"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.4"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.3"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.2"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.13"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.12"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.11"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.1"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.4.27"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.5"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.43"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.39"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.27"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.25"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.21"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.19"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.17"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.15"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.13"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0"
},
{
"model": "linux sparc",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux s/390",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux powerpc",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux mips",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux ia-64",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux ia-32",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux arm",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "centos",
"scope": "eq",
"trust": 0.3,
"vendor": "centos",
"version": "6"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.25"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.20"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.19"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.18"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.17"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.16"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.14"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.12"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.11"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.10"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.4"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.26"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.25"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.24"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.23"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.15"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.14"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.13"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.12"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.11"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.10"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.3"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.2"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.3"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.24"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.2"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.13"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.1"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.0"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.32"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.29"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.22"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.21"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.20"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.19"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.18"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.17"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.1"
},
{
"model": "http server",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "9.0.0.5"
},
{
"model": "http server",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.12"
},
{
"model": "http server",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.14"
},
{
"model": "http server",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.45"
},
{
"model": "apache",
"scope": "ne",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.26"
},
{
"model": "2.2.33-dev",
"scope": "ne",
"trust": 0.3,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "BID",
"id": "99135"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005023"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-789"
},
{
"db": "NVD",
"id": "CVE-2017-3167"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:apache:httpd",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:nec:spoolserver_winspool",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:cosminexus_http_server",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:hitachi_application_server",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:hitachi_application_server_for_developers",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:it_operations_director",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:hitachi_web_server",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:job_management_partner_1_integrated_management",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:job_management_partner_1%2Fit_desktop_management",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:job_management_partner_1%2Fit_desktop_management-manager",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:job_management_partner_1_performance_management_web_console",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:jp1_automatic_job_management_system_3",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:jp1_automatic_operation",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:jp1_integrated_management",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:jp1_it_desktop_management",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:jp1%2Fit_desktop_management-manager",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:jp1_operation_analytics",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:jp1_performance_management",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:jp1_service_support",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_application_server",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_application_server_enterprise",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_application_server_smart_edition",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_application_server_standard",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_developer",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_developer_light",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_developer_standard",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_primary_server",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_service_architect",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_service_platform",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-005023"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "145457"
},
{
"db": "PACKETSTORM",
"id": "144960"
},
{
"db": "PACKETSTORM",
"id": "143766"
},
{
"db": "PACKETSTORM",
"id": "145455"
},
{
"db": "PACKETSTORM",
"id": "144968"
},
{
"db": "PACKETSTORM",
"id": "144969"
}
],
"trust": 0.6
},
"cve": "CVE-2017-3167",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2017-3167",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2017-3167",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2017-3167",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2017-3167",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2017-3167",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNNVD",
"id": "CNNVD-201706-789",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULMON",
"id": "CVE-2017-3167",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-3167"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005023"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-789"
},
{
"db": "NVD",
"id": "CVE-2017-3167"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Apache httpd Contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Apache HTTP Server is prone to an authentication bypass vulnerability. \nAn attacker can exploit this issue to bypass authentication mechanism and perform unauthorized actions. This may lead to further attacks. \nThe following versions are vulnerable:\nApache HTTP Server 2.2.0 to 2.2.32\nApache HTTP Server 2.4.0 to 2.4.25. This software, such as Apache HTTP Server, is\ncommon to multiple JBoss middleware products, and is packaged under Red Hat\nJBoss Core Services to allow for faster distribution of updates, and for a\nmore consistent update experience. \n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23\nService Pack 3 serves as an update to Red Hat JBoss Core Services Apache\nHTTP Server 2.4.23 Service Pack 2, and includes bug fixes, which are\ndocumented in the Release Notes document linked to in the References. \n\nSecurity Fix(es):\n\n* An out-of-bounds array dereference was found in apr_time_exp_get(). An\nattacker could abuse an unvalidated usage of this function to cause a\ndenial of service or potentially lead to data leak. JIRA issues fixed (https://issues.jboss.org/):\n\nJBCS-403 - Errata for httpd 2.4.23.SP3 RHEL6\n\n7. (CVE-2017-7679)\n\n* A use-after-free flaw was found in the way httpd handled invalid and\npreviously unregistered HTTP methods specified in the Limit directive used\nin an .htaccess file. (CVE-2017-9798)\n\nRed Hat would like to thank Hanno BAPck for reporting CVE-2017-9798. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Important: httpd security update\nAdvisory ID: RHSA-2017:2478-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2017:2478\nIssue date: 2017-08-15\nCVE Names: CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 \n CVE-2017-9788 \n=====================================================================\n\n1. Summary:\n\nAn update for httpd is now available for Red Hat Enterprise Linux 6. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Desktop (v. 6) - i386, x86_64\nRed Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64\nRed Hat Enterprise Linux HPC Node (v. 6) - x86_64\nRed Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64\nRed Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64\n\n3. \n\nSecurity Fix(es):\n\n* It was discovered that the httpd\u0027s mod_auth_digest module did not\nproperly initialize memory before using it when processing certain headers\nrelated to digest authentication. A remote attacker could possibly use this\nflaw to disclose potentially sensitive information or cause httpd child\nprocess to crash by sending specially crafted requests to a server. (CVE-2017-3167)\n\n* A NULL pointer dereference flaw was found in the httpd\u0027s mod_ssl module. \nA remote attacker could use this flaw to cause an httpd child process to\ncrash if another module used by httpd called a certain API function during\nthe processing of an HTTPS request. (CVE-2017-3169)\n\n* A buffer over-read flaw was found in the httpd\u0027s mod_mime module. A user\npermitted to modify httpd\u0027s MIME configuration could use this flaw to cause\nhttpd child process to crash. (CVE-2017-7679)\n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted\nautomatically. \n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass\n1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference\n1463207 - CVE-2017-7679 httpd: mod_mime buffer overread\n1470748 - CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest\n\n6. Package List:\n\nRed Hat Enterprise Linux Desktop (v. 6):\n\nSource:\nhttpd-2.2.15-60.el6_9.5.src.rpm\n\ni386:\nhttpd-2.2.15-60.el6_9.5.i686.rpm\nhttpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm\nhttpd-tools-2.2.15-60.el6_9.5.i686.rpm\n\nx86_64:\nhttpd-2.2.15-60.el6_9.5.x86_64.rpm\nhttpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm\nhttpd-tools-2.2.15-60.el6_9.5.x86_64.rpm\n\nRed Hat Enterprise Linux Desktop Optional (v. 6):\n\ni386:\nhttpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm\nhttpd-devel-2.2.15-60.el6_9.5.i686.rpm\nmod_ssl-2.2.15-60.el6_9.5.i686.rpm\n\nnoarch:\nhttpd-manual-2.2.15-60.el6_9.5.noarch.rpm\n\nx86_64:\nhttpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm\nhttpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm\nhttpd-devel-2.2.15-60.el6_9.5.i686.rpm\nhttpd-devel-2.2.15-60.el6_9.5.x86_64.rpm\nmod_ssl-2.2.15-60.el6_9.5.x86_64.rpm\n\nRed Hat Enterprise Linux HPC Node (v. 6):\n\nSource:\nhttpd-2.2.15-60.el6_9.5.src.rpm\n\nx86_64:\nhttpd-2.2.15-60.el6_9.5.x86_64.rpm\nhttpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm\nhttpd-tools-2.2.15-60.el6_9.5.x86_64.rpm\n\nRed Hat Enterprise Linux HPC Node Optional (v. 6):\n\nnoarch:\nhttpd-manual-2.2.15-60.el6_9.5.noarch.rpm\n\nx86_64:\nhttpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm\nhttpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm\nhttpd-devel-2.2.15-60.el6_9.5.i686.rpm\nhttpd-devel-2.2.15-60.el6_9.5.x86_64.rpm\nmod_ssl-2.2.15-60.el6_9.5.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 6):\n\nSource:\nhttpd-2.2.15-60.el6_9.5.src.rpm\n\ni386:\nhttpd-2.2.15-60.el6_9.5.i686.rpm\nhttpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm\nhttpd-devel-2.2.15-60.el6_9.5.i686.rpm\nhttpd-tools-2.2.15-60.el6_9.5.i686.rpm\nmod_ssl-2.2.15-60.el6_9.5.i686.rpm\n\nnoarch:\nhttpd-manual-2.2.15-60.el6_9.5.noarch.rpm\n\nppc64:\nhttpd-2.2.15-60.el6_9.5.ppc64.rpm\nhttpd-debuginfo-2.2.15-60.el6_9.5.ppc.rpm\nhttpd-debuginfo-2.2.15-60.el6_9.5.ppc64.rpm\nhttpd-devel-2.2.15-60.el6_9.5.ppc.rpm\nhttpd-devel-2.2.15-60.el6_9.5.ppc64.rpm\nhttpd-tools-2.2.15-60.el6_9.5.ppc64.rpm\nmod_ssl-2.2.15-60.el6_9.5.ppc64.rpm\n\ns390x:\nhttpd-2.2.15-60.el6_9.5.s390x.rpm\nhttpd-debuginfo-2.2.15-60.el6_9.5.s390.rpm\nhttpd-debuginfo-2.2.15-60.el6_9.5.s390x.rpm\nhttpd-devel-2.2.15-60.el6_9.5.s390.rpm\nhttpd-devel-2.2.15-60.el6_9.5.s390x.rpm\nhttpd-tools-2.2.15-60.el6_9.5.s390x.rpm\nmod_ssl-2.2.15-60.el6_9.5.s390x.rpm\n\nx86_64:\nhttpd-2.2.15-60.el6_9.5.x86_64.rpm\nhttpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm\nhttpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm\nhttpd-devel-2.2.15-60.el6_9.5.i686.rpm\nhttpd-devel-2.2.15-60.el6_9.5.x86_64.rpm\nhttpd-tools-2.2.15-60.el6_9.5.x86_64.rpm\nmod_ssl-2.2.15-60.el6_9.5.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 6):\n\nSource:\nhttpd-2.2.15-60.el6_9.5.src.rpm\n\ni386:\nhttpd-2.2.15-60.el6_9.5.i686.rpm\nhttpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm\nhttpd-devel-2.2.15-60.el6_9.5.i686.rpm\nhttpd-tools-2.2.15-60.el6_9.5.i686.rpm\nmod_ssl-2.2.15-60.el6_9.5.i686.rpm\n\nnoarch:\nhttpd-manual-2.2.15-60.el6_9.5.noarch.rpm\n\nx86_64:\nhttpd-2.2.15-60.el6_9.5.x86_64.rpm\nhttpd-debuginfo-2.2.15-60.el6_9.5.i686.rpm\nhttpd-debuginfo-2.2.15-60.el6_9.5.x86_64.rpm\nhttpd-devel-2.2.15-60.el6_9.5.i686.rpm\nhttpd-devel-2.2.15-60.el6_9.5.x86_64.rpm\nhttpd-tools-2.2.15-60.el6_9.5.x86_64.rpm\nmod_ssl-2.2.15-60.el6_9.5.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2017-3167\nhttps://access.redhat.com/security/cve/CVE-2017-3169\nhttps://access.redhat.com/security/cve/CVE-2017-7679\nhttps://access.redhat.com/security/cve/CVE-2017-9788\nhttps://access.redhat.com/security/updates/classification/#important\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2017 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niD8DBQFZkzq3XlSAg2UNWIIRAjxIAJ9JoJcSMguc2VTpgJl2P5BGoM2IrACfXd/8\nJxb2g1bdehw6Jjq0qF13AEM=\n=ZvYI\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. Solution:\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss Web Server installation (including all applications\nand configuration files)",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-3167"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005023"
},
{
"db": "BID",
"id": "99135"
},
{
"db": "VULMON",
"id": "CVE-2017-3167"
},
{
"db": "PACKETSTORM",
"id": "145457"
},
{
"db": "PACKETSTORM",
"id": "144960"
},
{
"db": "PACKETSTORM",
"id": "143766"
},
{
"db": "PACKETSTORM",
"id": "145455"
},
{
"db": "PACKETSTORM",
"id": "144968"
},
{
"db": "PACKETSTORM",
"id": "144969"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-3167",
"trust": 3.4
},
{
"db": "BID",
"id": "99135",
"trust": 1.9
},
{
"db": "TENABLE",
"id": "TNS-2019-09",
"trust": 1.6
},
{
"db": "SECTRACK",
"id": "1038711",
"trust": 1.6
},
{
"db": "JVN",
"id": "JVNVU98416507",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005023",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201706-789",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2017-3167",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "145457",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "144960",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "143766",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "145455",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "144968",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "144969",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-3167"
},
{
"db": "BID",
"id": "99135"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005023"
},
{
"db": "PACKETSTORM",
"id": "145457"
},
{
"db": "PACKETSTORM",
"id": "144960"
},
{
"db": "PACKETSTORM",
"id": "143766"
},
{
"db": "PACKETSTORM",
"id": "145455"
},
{
"db": "PACKETSTORM",
"id": "144968"
},
{
"db": "PACKETSTORM",
"id": "144969"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-789"
},
{
"db": "NVD",
"id": "CVE-2017-3167"
}
]
},
"id": "VAR-201706-0272",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.22125000333333333
},
"last_update_date": "2024-11-28T20:16:29.015000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "hitachi-sec-2017-123",
"trust": 0.8,
"url": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-123/index.html"
},
{
"title": "hitachi-sec-2018-103",
"trust": 0.8,
"url": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-103/index.html"
},
{
"title": "NV17-014",
"trust": 0.8,
"url": "http://jpn.nec.com/security-info/secinfo/nv17-014.html"
},
{
"title": "CVE-2017-3167: ap_get_basic_auth_pw authentication bypass",
"trust": 0.8,
"url": "https://lists.apache.org/thread.html/8409e41a8f7dd9ded37141c38df001be930115428c3d64f70bbdb8b4@%3Cdev.httpd.apache.org%3E"
},
{
"title": "hitachi-sec-2017-123",
"trust": 0.8,
"url": "http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2017-123/index.html"
},
{
"title": "hitachi-sec-2018-103",
"trust": 0.8,
"url": "http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2018-103/index.html"
},
{
"title": "Apache httpd Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=71073"
},
{
"title": "Red Hat: Important: httpd security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20173194 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20173476 - Security Advisory"
},
{
"title": "Red Hat: Important: httpd security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20173193 - Security Advisory"
},
{
"title": "Red Hat: Important: httpd security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20173195 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20173475 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20173477 - Security Advisory"
},
{
"title": "Red Hat: CVE-2017-3167",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2017-3167"
},
{
"title": "Ubuntu Security Notice: apache2 vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-3340-1"
},
{
"title": "Arch Linux Issues: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2017-3167"
},
{
"title": "Ubuntu Security Notice: apache2 vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-3373-1"
},
{
"title": "Debian Security Advisories: DSA-3896-1 apache2 -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=a100e91e6529637522c4f74492953f8c"
},
{
"title": "Amazon Linux AMI: ALAS-2017-892",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2017-892"
},
{
"title": "Arch Linux Advisories: [ASA-201706-34] apache: multiple issues",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-201706-34"
},
{
"title": "Amazon Linux AMI: ALAS-2017-863",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2017-863"
},
{
"title": "Symantec Security Advisories: SA154: Apache httpd Vulnerabilities June 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=symantec_security_advisories\u0026qid=6f891c1513dfb5c26769ed38bcac6e4f"
},
{
"title": "Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - July 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins\u0026qid=a22ad41e97bbfc5abb0bb927bf43089c"
},
{
"title": "Tenable Security Advisories: [R1] Tenable.sc 5.13.0 Fixes Multiple Third-Party Vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories\u0026qid=TNS-2019-09"
},
{
"title": "Oracle Linux Bulletins: Oracle Linux Bulletin - July 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins\u0026qid=549dc795290b298746065b62b4bb7928"
},
{
"title": "Oracle: Oracle Critical Patch Update Advisory - October 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories\u0026qid=523d3f220a64ff01dd95e064bd37566a"
},
{
"title": "Final-Project",
"trust": 0.1,
"url": "https://github.com/Jason134526/Final-Project "
},
{
"title": "Cyber-Security-Final-Project",
"trust": 0.1,
"url": "https://github.com/jklinges14/Cyber-Security-Final-Project "
},
{
"title": "GyoiThon",
"trust": 0.1,
"url": "https://github.com/gyoisamurai/GyoiThon "
},
{
"title": "nrich",
"trust": 0.1,
"url": "https://github.com/retr0-13/nrich "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/RoseSecurity-Research/Red-Teaming-TTPs "
},
{
"title": "Red-Teaming-TTPs",
"trust": 0.1,
"url": "https://github.com/RoseSecurity/Red-Teaming-TTPs "
},
{
"title": "Shodan-nrich",
"trust": 0.1,
"url": "https://github.com/PawanKumarPandit/Shodan-nrich "
},
{
"title": "DC-3-Vulnhub-Walkthrough",
"trust": 0.1,
"url": "https://github.com/vshaliii/DC-3-Vulnhub-Walkthrough "
},
{
"title": "DC-1-Vulnhub-Walkthrough",
"trust": 0.1,
"url": "https://github.com/vshaliii/DC-1-Vulnhub-Walkthrough "
},
{
"title": "DC-2-Vulnhub-Walkthrough",
"trust": 0.1,
"url": "https://github.com/vshaliii/DC-2-Vulnhub-Walkthrough "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/hrbrmstr/internetdb "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/SecureAxom/strike "
},
{
"title": "pigat",
"trust": 0.1,
"url": "https://github.com/syadg123/pigat "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-3167"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005023"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-789"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-287",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-005023"
},
{
"db": "NVD",
"id": "CVE-2017-3167"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://access.redhat.com/errata/rhsa-2017:3477"
},
{
"trust": 1.7,
"url": "https://access.redhat.com/errata/rhsa-2017:3193"
},
{
"trust": 1.7,
"url": "https://access.redhat.com/errata/rhsa-2017:2478"
},
{
"trust": 1.7,
"url": "https://access.redhat.com/errata/rhsa-2017:3475"
},
{
"trust": 1.7,
"url": "https://access.redhat.com/errata/rhsa-2017:3194"
},
{
"trust": 1.7,
"url": "https://access.redhat.com/errata/rhsa-2017:3195"
},
{
"trust": 1.6,
"url": "https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us\u0026docid=emr_na-hpesbux03908en_us"
},
{
"trust": 1.6,
"url": "https://security.gentoo.org/glsa/201710-32"
},
{
"trust": 1.6,
"url": "https://support.apple.com/ht208221"
},
{
"trust": 1.6,
"url": "https://security.netapp.com/advisory/ntap-20180601-0002/"
},
{
"trust": 1.6,
"url": "http://www.debian.org/security/2017/dsa-3896"
},
{
"trust": 1.6,
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"trust": 1.6,
"url": "http://www.securitytracker.com/id/1038711"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/99135"
},
{
"trust": 1.6,
"url": "https://access.redhat.com/errata/rhsa-2017:2479"
},
{
"trust": 1.6,
"url": "https://www.nomachine.com/su08o00185"
},
{
"trust": 1.6,
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"trust": 1.6,
"url": "https://access.redhat.com/errata/rhsa-2017:3476"
},
{
"trust": 1.6,
"url": "https://access.redhat.com/errata/rhsa-2017:2483"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-3167"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/8409e41a8f7dd9ded37141c38df001be930115428c3d64f70bbdb8b4%40%3cdev.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.9,
"url": "https://access.redhat.com/security/cve/cve-2017-3167"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3167"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu98416507/"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2017-7679"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-7679"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-3169"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.6,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2017-3169"
},
{
"trust": 0.6,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.6,
"url": "httpd.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/8409e41a8f7dd9ded37141c38df001be930115428c3d64f70bbdb8b4@%3cdev."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3ccvs."
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2017-9798"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9798"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2017-9788"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9788"
},
{
"trust": 0.3,
"url": "http://httpd.apache.org/"
},
{
"trust": 0.3,
"url": "https://httpd.apache.org/security/vulnerabilities_22.html"
},
{
"trust": 0.3,
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg24043880"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=nas8n1022204"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg22005280"
},
{
"trust": 0.2,
"url": "https://issues.jboss.org/):"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/documentation/en/red-hat-jboss-core-services/"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2017-12613"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-12613"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2017-7668"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-7668"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=core.service.apachehttp\u0026downloadtype=securitypatches\u0026version=2.4.23"
}
],
"sources": [
{
"db": "BID",
"id": "99135"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005023"
},
{
"db": "PACKETSTORM",
"id": "145457"
},
{
"db": "PACKETSTORM",
"id": "144960"
},
{
"db": "PACKETSTORM",
"id": "143766"
},
{
"db": "PACKETSTORM",
"id": "145455"
},
{
"db": "PACKETSTORM",
"id": "144968"
},
{
"db": "PACKETSTORM",
"id": "144969"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-789"
},
{
"db": "NVD",
"id": "CVE-2017-3167"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2017-3167"
},
{
"db": "BID",
"id": "99135"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005023"
},
{
"db": "PACKETSTORM",
"id": "145457"
},
{
"db": "PACKETSTORM",
"id": "144960"
},
{
"db": "PACKETSTORM",
"id": "143766"
},
{
"db": "PACKETSTORM",
"id": "145455"
},
{
"db": "PACKETSTORM",
"id": "144968"
},
{
"db": "PACKETSTORM",
"id": "144969"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-789"
},
{
"db": "NVD",
"id": "CVE-2017-3167"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-06-20T00:00:00",
"db": "VULMON",
"id": "CVE-2017-3167"
},
{
"date": "2017-06-19T00:00:00",
"db": "BID",
"id": "99135"
},
{
"date": "2017-07-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-005023"
},
{
"date": "2017-12-17T15:29:14",
"db": "PACKETSTORM",
"id": "145457"
},
{
"date": "2017-11-13T22:23:00",
"db": "PACKETSTORM",
"id": "144960"
},
{
"date": "2017-08-15T22:24:00",
"db": "PACKETSTORM",
"id": "143766"
},
{
"date": "2017-12-17T15:27:58",
"db": "PACKETSTORM",
"id": "145455"
},
{
"date": "2017-11-14T04:32:05",
"db": "PACKETSTORM",
"id": "144968"
},
{
"date": "2017-11-14T04:32:14",
"db": "PACKETSTORM",
"id": "144969"
},
{
"date": "2017-06-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201706-789"
},
{
"date": "2017-06-20T01:29:00.330000",
"db": "NVD",
"id": "CVE-2017-3167"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-11-07T00:00:00",
"db": "VULMON",
"id": "CVE-2017-3167"
},
{
"date": "2017-08-16T08:10:00",
"db": "BID",
"id": "99135"
},
{
"date": "2018-02-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-005023"
},
{
"date": "2021-06-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201706-789"
},
{
"date": "2024-11-21T03:24:58.100000",
"db": "NVD",
"id": "CVE-2017-3167"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "144960"
},
{
"db": "PACKETSTORM",
"id": "143766"
},
{
"db": "PACKETSTORM",
"id": "144968"
},
{
"db": "PACKETSTORM",
"id": "144969"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-789"
}
],
"trust": 1.0
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache httpd Vulnerabilities in authentication",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-005023"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201706-789"
}
],
"trust": 0.6
}
}
var-202109-1803
Vulnerability from variot
ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. The server is fast, reliable and extensible through a simple API. An attacker could exploit this vulnerability to write malicious content and execute it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: httpd security update Advisory ID: RHSA-2022:0143-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:0143 Issue date: 2022-01-17 CVE Names: CVE-2021-26691 CVE-2021-34798 CVE-2021-39275 CVE-2021-44790 ==================================================================== 1. Summary:
An update for httpd is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
Security Fix(es):
-
httpd: mod_lua: Possible buffer overflow when parsing multipart content (CVE-2021-44790)
-
httpd: mod_session: Heap overflow via a crafted SessionHeader value (CVE-2021-26691)
-
httpd: NULL pointer dereference via malformed requests (CVE-2021-34798)
-
httpd: Out-of-bounds write in ap_escape_quotes() via malicious input (CVE-2021-39275)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon will be restarted automatically.
- Bugs fixed (https://bugzilla.redhat.com/):
1966732 - CVE-2021-26691 httpd: mod_session: Heap overflow via a crafted SessionHeader value 2005119 - CVE-2021-39275 httpd: Out-of-bounds write in ap_escape_quotes() via malicious input 2005128 - CVE-2021-34798 httpd: NULL pointer dereference via malformed requests 2034674 - CVE-2021-44790 httpd: mod_lua: Possible buffer overflow when parsing multipart content
- Package List:
Red Hat Enterprise Linux Client Optional (v. 7):
Source: httpd-2.4.6-97.el7_9.4.src.rpm
noarch: httpd-manual-2.4.6-97.el7_9.4.noarch.rpm
x86_64: httpd-2.4.6-97.el7_9.4.x86_64.rpm httpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm httpd-devel-2.4.6-97.el7_9.4.x86_64.rpm httpd-tools-2.4.6-97.el7_9.4.x86_64.rpm mod_ldap-2.4.6-97.el7_9.4.x86_64.rpm mod_proxy_html-2.4.6-97.el7_9.4.x86_64.rpm mod_session-2.4.6-97.el7_9.4.x86_64.rpm mod_ssl-2.4.6-97.el7_9.4.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
Source: httpd-2.4.6-97.el7_9.4.src.rpm
noarch: httpd-manual-2.4.6-97.el7_9.4.noarch.rpm
x86_64: httpd-2.4.6-97.el7_9.4.x86_64.rpm httpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm httpd-devel-2.4.6-97.el7_9.4.x86_64.rpm httpd-tools-2.4.6-97.el7_9.4.x86_64.rpm mod_ldap-2.4.6-97.el7_9.4.x86_64.rpm mod_proxy_html-2.4.6-97.el7_9.4.x86_64.rpm mod_session-2.4.6-97.el7_9.4.x86_64.rpm mod_ssl-2.4.6-97.el7_9.4.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: httpd-2.4.6-97.el7_9.4.src.rpm
noarch: httpd-manual-2.4.6-97.el7_9.4.noarch.rpm
ppc64: httpd-2.4.6-97.el7_9.4.ppc64.rpm httpd-debuginfo-2.4.6-97.el7_9.4.ppc64.rpm httpd-devel-2.4.6-97.el7_9.4.ppc64.rpm httpd-tools-2.4.6-97.el7_9.4.ppc64.rpm mod_session-2.4.6-97.el7_9.4.ppc64.rpm mod_ssl-2.4.6-97.el7_9.4.ppc64.rpm
ppc64le: httpd-2.4.6-97.el7_9.4.ppc64le.rpm httpd-debuginfo-2.4.6-97.el7_9.4.ppc64le.rpm httpd-devel-2.4.6-97.el7_9.4.ppc64le.rpm httpd-tools-2.4.6-97.el7_9.4.ppc64le.rpm mod_session-2.4.6-97.el7_9.4.ppc64le.rpm mod_ssl-2.4.6-97.el7_9.4.ppc64le.rpm
s390x: httpd-2.4.6-97.el7_9.4.s390x.rpm httpd-debuginfo-2.4.6-97.el7_9.4.s390x.rpm httpd-devel-2.4.6-97.el7_9.4.s390x.rpm httpd-tools-2.4.6-97.el7_9.4.s390x.rpm mod_session-2.4.6-97.el7_9.4.s390x.rpm mod_ssl-2.4.6-97.el7_9.4.s390x.rpm
x86_64: httpd-2.4.6-97.el7_9.4.x86_64.rpm httpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm httpd-devel-2.4.6-97.el7_9.4.x86_64.rpm httpd-tools-2.4.6-97.el7_9.4.x86_64.rpm mod_session-2.4.6-97.el7_9.4.x86_64.rpm mod_ssl-2.4.6-97.el7_9.4.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64: httpd-debuginfo-2.4.6-97.el7_9.4.ppc64.rpm mod_ldap-2.4.6-97.el7_9.4.ppc64.rpm mod_proxy_html-2.4.6-97.el7_9.4.ppc64.rpm
ppc64le: httpd-debuginfo-2.4.6-97.el7_9.4.ppc64le.rpm mod_ldap-2.4.6-97.el7_9.4.ppc64le.rpm mod_proxy_html-2.4.6-97.el7_9.4.ppc64le.rpm
s390x: httpd-debuginfo-2.4.6-97.el7_9.4.s390x.rpm mod_ldap-2.4.6-97.el7_9.4.s390x.rpm mod_proxy_html-2.4.6-97.el7_9.4.s390x.rpm
x86_64: httpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm mod_ldap-2.4.6-97.el7_9.4.x86_64.rpm mod_proxy_html-2.4.6-97.el7_9.4.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: httpd-2.4.6-97.el7_9.4.src.rpm
noarch: httpd-manual-2.4.6-97.el7_9.4.noarch.rpm
x86_64: httpd-2.4.6-97.el7_9.4.x86_64.rpm httpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm httpd-devel-2.4.6-97.el7_9.4.x86_64.rpm httpd-tools-2.4.6-97.el7_9.4.x86_64.rpm mod_session-2.4.6-97.el7_9.4.x86_64.rpm mod_ssl-2.4.6-97.el7_9.4.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64: httpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm mod_ldap-2.4.6-97.el7_9.4.x86_64.rpm mod_proxy_html-2.4.6-97.el7_9.4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2021-26691 https://access.redhat.com/security/cve/CVE-2021-34798 https://access.redhat.com/security/cve/CVE-2021-39275 https://access.redhat.com/security/cve/CVE-2021-44790 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYeVdC9zjgjWX9erEAQgzNw/8CjsxUvDW64dwvpcYH/OWJhKqvD53sX+w ivf4+hhCsEVLvrjD0eTNkbeza+dcZqoR5swL0IjAGXKJ/0q/oh4/yxq2ydgvEYsY rAjts0tnynoswBaFo6eaBlcNxQroGID0uqgXkUFt37m4eetACuOSVRcZ7/sNsqBS iQF4l16vjNvKeOdKY8nSNe77Dt1/Lj41NoL6XbAZPuvaiLBqqGOY9xYfZSSmFHFq H4dB8cfMC4cWysFtnzffJ+dJdzcWNOxklwLlZe72JoAJYP59da2YuIoE2LsQRGPC Occ84zH/UZx4JWJhF7FEEALC/tizfFqu9qWr1OIDmSVTEAZ+6IZ/mDeF83+0Mrc4 AiV3oiJi7Fx4XTDUL8fim+FORaSI2IR7LK1Zjau1qCN04ayyFXwJdK/fwgIWJHon gYhyUsAj7F7At9m8cCVRP5K4jjmr0qrmsF1M1B6xqMLWlYNcWu3obJS/FbiSdwQJ 7jFdBagThGOzIle0eGk0iMZ+vRJSuaSMZ7GDA14o46KB+EkvYLe+wi6jBQXJeD6Q Oueenu2JiMvB8+dJNYrn9uQY+8WHyCVV1HMMmVo9LajA1FJRXgMIQN5ZmDMoDW73 qFV+VCOHtKPI2hC8ngZYy2RyEUhK4t3f7xmJgtoJ4/DuaGsRWL7xZPL7gLHxWnS4 5VjPyLrWg5U=TyMo -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . 8) - aarch64, noarch, ppc64le, s390x, x86_64
- This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.
This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Service Pack 10, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202208-20
https://security.gentoo.org/
Severity: High Title: Apache HTTPD: Multiple Vulnerabilities Date: August 14, 2022 Bugs: #813429, #816399, #816864, #829722, #835131, #850622 ID: 202208-20
Synopsis
Multiple vulnerabilities have been discovered in Apache Webserver, the worst of which could result in remote code execution. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All Apache HTTPD users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/apache-2.4.54"
All Apache HTTPD tools users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/apache-tools-2.4.54"
References
[ 1 ] CVE-2021-33193 https://nvd.nist.gov/vuln/detail/CVE-2021-33193 [ 2 ] CVE-2021-34798 https://nvd.nist.gov/vuln/detail/CVE-2021-34798 [ 3 ] CVE-2021-36160 https://nvd.nist.gov/vuln/detail/CVE-2021-36160 [ 4 ] CVE-2021-39275 https://nvd.nist.gov/vuln/detail/CVE-2021-39275 [ 5 ] CVE-2021-40438 https://nvd.nist.gov/vuln/detail/CVE-2021-40438 [ 6 ] CVE-2021-41524 https://nvd.nist.gov/vuln/detail/CVE-2021-41524 [ 7 ] CVE-2021-41773 https://nvd.nist.gov/vuln/detail/CVE-2021-41773 [ 8 ] CVE-2021-42013 https://nvd.nist.gov/vuln/detail/CVE-2021-42013 [ 9 ] CVE-2021-44224 https://nvd.nist.gov/vuln/detail/CVE-2021-44224 [ 10 ] CVE-2021-44790 https://nvd.nist.gov/vuln/detail/CVE-2021-44790 [ 11 ] CVE-2022-22719 https://nvd.nist.gov/vuln/detail/CVE-2022-22719 [ 12 ] CVE-2022-22720 https://nvd.nist.gov/vuln/detail/CVE-2022-22720 [ 13 ] CVE-2022-22721 https://nvd.nist.gov/vuln/detail/CVE-2022-22721 [ 14 ] CVE-2022-23943 https://nvd.nist.gov/vuln/detail/CVE-2022-23943 [ 15 ] CVE-2022-26377 https://nvd.nist.gov/vuln/detail/CVE-2022-26377 [ 16 ] CVE-2022-28614 https://nvd.nist.gov/vuln/detail/CVE-2022-28614 [ 17 ] CVE-2022-28615 https://nvd.nist.gov/vuln/detail/CVE-2022-28615 [ 18 ] CVE-2022-29404 https://nvd.nist.gov/vuln/detail/CVE-2022-29404 [ 19 ] CVE-2022-30522 https://nvd.nist.gov/vuln/detail/CVE-2022-30522 [ 20 ] CVE-2022-30556 https://nvd.nist.gov/vuln/detail/CVE-2022-30556 [ 21 ] CVE-2022-31813 https://nvd.nist.gov/vuln/detail/CVE-2022-31813
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202208-20
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5 . ========================================================================== Ubuntu Security Notice USN-5090-3 September 28, 2021
apache2 regression
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
USN-5090-1 introduced a regression in Apache HTTP Server. One of the upstream fixes introduced a regression in UDS URIs. This update fixes the problem.
Original advisory details:
James Kettle discovered that the Apache HTTP Server HTTP/2 module incorrectly handled certain crafted methods. A remote attacker could possibly use this issue to perform request splitting or cache poisoning attacks. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. (CVE-2021-34798) Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly handled certain request uri-paths. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04. If the server was configured with third-party modules, a remote attacker could use this issue to cause the server to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-39275) It was discovered that the Apache mod_proxy module incorrectly handled certain request uri-paths. A remote attacker could possibly use this issue to cause the server to forward requests to arbitrary origin servers. (CVE-2021-40438)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 21.04: apache2 2.4.46-4ubuntu1.3 apache2-bin 2.4.46-4ubuntu1.3
Ubuntu 20.04 LTS: apache2 2.4.41-4ubuntu3.6 apache2-bin 2.4.41-4ubuntu3.6
Ubuntu 18.04 LTS: apache2 2.4.29-1ubuntu4.18 apache2-bin 2.4.29-1ubuntu4.18
In general, a standard system update will make all the necessary changes
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202109-1803",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "ucosminexus service platform",
"scope": null,
"trust": 1.6,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "ucosminexus application server",
"scope": null,
"trust": 1.6,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "ucosminexus primary server base",
"scope": null,
"trust": 1.6,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "instantis enterprisetrack",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.2"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "34"
},
{
"model": "instantis enterprisetrack",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.3"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.4.0"
},
{
"model": "instantis enterprisetrack",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.1"
},
{
"model": "clustered data ontap",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "zfs storage appliance kit",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.8"
},
{
"model": "sinec nms",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "sinema server",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "14.0"
},
{
"model": "cloud backup",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "11.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "35"
},
{
"model": "storagegrid",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.3.0"
},
{
"model": "http server",
"scope": "lte",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.48"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "ucosminexus developer",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "hitachi web server - custom edition",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "http server",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "ucosminexus application server-r",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "ucosminexus service architect",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "storagegrid",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "fedora",
"scope": null,
"trust": 0.8,
"vendor": "fedora",
"version": null
},
{
"model": "gnu/linux",
"scope": null,
"trust": 0.8,
"vendor": "debian",
"version": null
},
{
"model": "hitachi web server",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "cosminexus http server",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "clustered data ontap",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "http server",
"scope": "lte",
"trust": 0.6,
"vendor": "apache",
"version": "\u003c=2.4.48"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03225"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008414"
},
{
"db": "NVD",
"id": "CVE-2021-39275"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Siemens reported these vulnerabilities to CISA.",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202109-1098"
}
],
"trust": 0.6
},
"cve": "CVE-2021-39275",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2021-39275",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2022-03225",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-400791",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2021-39275",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-39275",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-39275",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2021-39275",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2022-03225",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202109-1098",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-400791",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2021-39275",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03225"
},
{
"db": "VULHUB",
"id": "VHN-400791"
},
{
"db": "VULMON",
"id": "CVE-2021-39275"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008414"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1098"
},
{
"db": "NVD",
"id": "CVE-2021-39275"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier. The server is fast, reliable and extensible through a simple API. An attacker could exploit this vulnerability to write malicious content and execute it. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Important: httpd security update\nAdvisory ID: RHSA-2022:0143-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2022:0143\nIssue date: 2022-01-17\nCVE Names: CVE-2021-26691 CVE-2021-34798 CVE-2021-39275\n CVE-2021-44790\n====================================================================\n1. Summary:\n\nAn update for httpd is now available for Red Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64\nRed Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 7) - x86_64\n\n3. \n\nSecurity Fix(es):\n\n* httpd: mod_lua: Possible buffer overflow when parsing multipart content\n(CVE-2021-44790)\n\n* httpd: mod_session: Heap overflow via a crafted SessionHeader value\n(CVE-2021-26691)\n\n* httpd: NULL pointer dereference via malformed requests (CVE-2021-34798)\n\n* httpd: Out-of-bounds write in ap_escape_quotes() via malicious input\n(CVE-2021-39275)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted\nautomatically. \n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1966732 - CVE-2021-26691 httpd: mod_session: Heap overflow via a crafted SessionHeader value\n2005119 - CVE-2021-39275 httpd: Out-of-bounds write in ap_escape_quotes() via malicious input\n2005128 - CVE-2021-34798 httpd: NULL pointer dereference via malformed requests\n2034674 - CVE-2021-44790 httpd: mod_lua: Possible buffer overflow when parsing multipart content\n\n6. Package List:\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nSource:\nhttpd-2.4.6-97.el7_9.4.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-97.el7_9.4.noarch.rpm\n\nx86_64:\nhttpd-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-devel-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-tools-2.4.6-97.el7_9.4.x86_64.rpm\nmod_ldap-2.4.6-97.el7_9.4.x86_64.rpm\nmod_proxy_html-2.4.6-97.el7_9.4.x86_64.rpm\nmod_session-2.4.6-97.el7_9.4.x86_64.rpm\nmod_ssl-2.4.6-97.el7_9.4.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nSource:\nhttpd-2.4.6-97.el7_9.4.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-97.el7_9.4.noarch.rpm\n\nx86_64:\nhttpd-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-devel-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-tools-2.4.6-97.el7_9.4.x86_64.rpm\nmod_ldap-2.4.6-97.el7_9.4.x86_64.rpm\nmod_proxy_html-2.4.6-97.el7_9.4.x86_64.rpm\nmod_session-2.4.6-97.el7_9.4.x86_64.rpm\nmod_ssl-2.4.6-97.el7_9.4.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nhttpd-2.4.6-97.el7_9.4.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-97.el7_9.4.noarch.rpm\n\nppc64:\nhttpd-2.4.6-97.el7_9.4.ppc64.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.4.ppc64.rpm\nhttpd-devel-2.4.6-97.el7_9.4.ppc64.rpm\nhttpd-tools-2.4.6-97.el7_9.4.ppc64.rpm\nmod_session-2.4.6-97.el7_9.4.ppc64.rpm\nmod_ssl-2.4.6-97.el7_9.4.ppc64.rpm\n\nppc64le:\nhttpd-2.4.6-97.el7_9.4.ppc64le.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.4.ppc64le.rpm\nhttpd-devel-2.4.6-97.el7_9.4.ppc64le.rpm\nhttpd-tools-2.4.6-97.el7_9.4.ppc64le.rpm\nmod_session-2.4.6-97.el7_9.4.ppc64le.rpm\nmod_ssl-2.4.6-97.el7_9.4.ppc64le.rpm\n\ns390x:\nhttpd-2.4.6-97.el7_9.4.s390x.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.4.s390x.rpm\nhttpd-devel-2.4.6-97.el7_9.4.s390x.rpm\nhttpd-tools-2.4.6-97.el7_9.4.s390x.rpm\nmod_session-2.4.6-97.el7_9.4.s390x.rpm\nmod_ssl-2.4.6-97.el7_9.4.s390x.rpm\n\nx86_64:\nhttpd-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-devel-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-tools-2.4.6-97.el7_9.4.x86_64.rpm\nmod_session-2.4.6-97.el7_9.4.x86_64.rpm\nmod_ssl-2.4.6-97.el7_9.4.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\nppc64:\nhttpd-debuginfo-2.4.6-97.el7_9.4.ppc64.rpm\nmod_ldap-2.4.6-97.el7_9.4.ppc64.rpm\nmod_proxy_html-2.4.6-97.el7_9.4.ppc64.rpm\n\nppc64le:\nhttpd-debuginfo-2.4.6-97.el7_9.4.ppc64le.rpm\nmod_ldap-2.4.6-97.el7_9.4.ppc64le.rpm\nmod_proxy_html-2.4.6-97.el7_9.4.ppc64le.rpm\n\ns390x:\nhttpd-debuginfo-2.4.6-97.el7_9.4.s390x.rpm\nmod_ldap-2.4.6-97.el7_9.4.s390x.rpm\nmod_proxy_html-2.4.6-97.el7_9.4.s390x.rpm\n\nx86_64:\nhttpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm\nmod_ldap-2.4.6-97.el7_9.4.x86_64.rpm\nmod_proxy_html-2.4.6-97.el7_9.4.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nhttpd-2.4.6-97.el7_9.4.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-97.el7_9.4.noarch.rpm\n\nx86_64:\nhttpd-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-devel-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-tools-2.4.6-97.el7_9.4.x86_64.rpm\nmod_session-2.4.6-97.el7_9.4.x86_64.rpm\nmod_ssl-2.4.6-97.el7_9.4.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nx86_64:\nhttpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm\nmod_ldap-2.4.6-97.el7_9.4.x86_64.rpm\nmod_proxy_html-2.4.6-97.el7_9.4.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-26691\nhttps://access.redhat.com/security/cve/CVE-2021-34798\nhttps://access.redhat.com/security/cve/CVE-2021-39275\nhttps://access.redhat.com/security/cve/CVE-2021-44790\nhttps://access.redhat.com/security/updates/classification/#important\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2022 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYeVdC9zjgjWX9erEAQgzNw/8CjsxUvDW64dwvpcYH/OWJhKqvD53sX+w\nivf4+hhCsEVLvrjD0eTNkbeza+dcZqoR5swL0IjAGXKJ/0q/oh4/yxq2ydgvEYsY\nrAjts0tnynoswBaFo6eaBlcNxQroGID0uqgXkUFt37m4eetACuOSVRcZ7/sNsqBS\niQF4l16vjNvKeOdKY8nSNe77Dt1/Lj41NoL6XbAZPuvaiLBqqGOY9xYfZSSmFHFq\nH4dB8cfMC4cWysFtnzffJ+dJdzcWNOxklwLlZe72JoAJYP59da2YuIoE2LsQRGPC\nOcc84zH/UZx4JWJhF7FEEALC/tizfFqu9qWr1OIDmSVTEAZ+6IZ/mDeF83+0Mrc4\nAiV3oiJi7Fx4XTDUL8fim+FORaSI2IR7LK1Zjau1qCN04ayyFXwJdK/fwgIWJHon\ngYhyUsAj7F7At9m8cCVRP5K4jjmr0qrmsF1M1B6xqMLWlYNcWu3obJS/FbiSdwQJ\n7jFdBagThGOzIle0eGk0iMZ+vRJSuaSMZ7GDA14o46KB+EkvYLe+wi6jBQXJeD6Q\nOueenu2JiMvB8+dJNYrn9uQY+8WHyCVV1HMMmVo9LajA1FJRXgMIQN5ZmDMoDW73\nqFV+VCOHtKPI2hC8ngZYy2RyEUhK4t3f7xmJgtoJ4/DuaGsRWL7xZPL7gLHxWnS4\n5VjPyLrWg5U=TyMo\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. 8) - aarch64, noarch, ppc64le, s390x, x86_64\n\n3. This software, such as Apache HTTP Server, is\ncommon to multiple JBoss middleware products, and is packaged under Red Hat\nJBoss Core Services to allow for faster distribution of updates, and for a\nmore consistent update experience. \n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51\nserves as a replacement for Red Hat JBoss Core Services Apache HTTP Server\n2.4.37 Service Pack 10, and includes bug fixes and enhancements, which are\ndocumented in the Release Notes document linked to in the References. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202208-20\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: High\n Title: Apache HTTPD: Multiple Vulnerabilities\n Date: August 14, 2022\n Bugs: #813429, #816399, #816864, #829722, #835131, #850622\n ID: 202208-20\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n=======\nMultiple vulnerabilities have been discovered in Apache Webserver, the\nworst of which could result in remote code execution. Please\nreview the CVE identifiers referenced below for details. \n\nImpact\n=====\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n=========\nThere is no known workaround at this time. \n\nResolution\n=========\nAll Apache HTTPD users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=www-servers/apache-2.4.54\"\n\nAll Apache HTTPD tools users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=app-admin/apache-tools-2.4.54\"\n\nReferences\n=========\n[ 1 ] CVE-2021-33193\n https://nvd.nist.gov/vuln/detail/CVE-2021-33193\n[ 2 ] CVE-2021-34798\n https://nvd.nist.gov/vuln/detail/CVE-2021-34798\n[ 3 ] CVE-2021-36160\n https://nvd.nist.gov/vuln/detail/CVE-2021-36160\n[ 4 ] CVE-2021-39275\n https://nvd.nist.gov/vuln/detail/CVE-2021-39275\n[ 5 ] CVE-2021-40438\n https://nvd.nist.gov/vuln/detail/CVE-2021-40438\n[ 6 ] CVE-2021-41524\n https://nvd.nist.gov/vuln/detail/CVE-2021-41524\n[ 7 ] CVE-2021-41773\n https://nvd.nist.gov/vuln/detail/CVE-2021-41773\n[ 8 ] CVE-2021-42013\n https://nvd.nist.gov/vuln/detail/CVE-2021-42013\n[ 9 ] CVE-2021-44224\n https://nvd.nist.gov/vuln/detail/CVE-2021-44224\n[ 10 ] CVE-2021-44790\n https://nvd.nist.gov/vuln/detail/CVE-2021-44790\n[ 11 ] CVE-2022-22719\n https://nvd.nist.gov/vuln/detail/CVE-2022-22719\n[ 12 ] CVE-2022-22720\n https://nvd.nist.gov/vuln/detail/CVE-2022-22720\n[ 13 ] CVE-2022-22721\n https://nvd.nist.gov/vuln/detail/CVE-2022-22721\n[ 14 ] CVE-2022-23943\n https://nvd.nist.gov/vuln/detail/CVE-2022-23943\n[ 15 ] CVE-2022-26377\n https://nvd.nist.gov/vuln/detail/CVE-2022-26377\n[ 16 ] CVE-2022-28614\n https://nvd.nist.gov/vuln/detail/CVE-2022-28614\n[ 17 ] CVE-2022-28615\n https://nvd.nist.gov/vuln/detail/CVE-2022-28615\n[ 18 ] CVE-2022-29404\n https://nvd.nist.gov/vuln/detail/CVE-2022-29404\n[ 19 ] CVE-2022-30522\n https://nvd.nist.gov/vuln/detail/CVE-2022-30522\n[ 20 ] CVE-2022-30556\n https://nvd.nist.gov/vuln/detail/CVE-2022-30556\n[ 21 ] CVE-2022-31813\n https://nvd.nist.gov/vuln/detail/CVE-2022-31813\n\nAvailability\n===========\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202208-20\n\nConcerns?\n========\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n======\nCopyright 2022 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. ==========================================================================\nUbuntu Security Notice USN-5090-3\nSeptember 28, 2021\n\napache2 regression\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 21.04\n- Ubuntu 20.04 LTS\n- Ubuntu 18.04 LTS\n\nSummary:\n\nUSN-5090-1 introduced a regression in Apache HTTP Server. One of the upstream\nfixes introduced a regression in UDS URIs. This update fixes the problem. \n\nOriginal advisory details:\n\n James Kettle discovered that the Apache HTTP Server HTTP/2 module\n incorrectly handled certain crafted methods. A remote attacker could\n possibly use this issue to perform request splitting or cache poisoning\n attacks. A remote attacker could possibly use this issue to\n cause the server to crash, resulting in a denial of service. \n (CVE-2021-34798)\n Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly\n handled certain request uri-paths. A remote attacker could possibly use\n this issue to cause the server to crash, resulting in a denial of service. \n This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04. If the server was configured with third-party modules, a remote\n attacker could use this issue to cause the server to crash, resulting in a\n denial of service, or possibly execute arbitrary code. (CVE-2021-39275)\n It was discovered that the Apache mod_proxy module incorrectly handled\n certain request uri-paths. A remote attacker could possibly use this issue\n to cause the server to forward requests to arbitrary origin servers. \n (CVE-2021-40438)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 21.04:\n apache2 2.4.46-4ubuntu1.3\n apache2-bin 2.4.46-4ubuntu1.3\n\nUbuntu 20.04 LTS:\n apache2 2.4.41-4ubuntu3.6\n apache2-bin 2.4.41-4ubuntu3.6\n\nUbuntu 18.04 LTS:\n apache2 2.4.29-1ubuntu4.18\n apache2-bin 2.4.29-1ubuntu4.18\n\nIn general, a standard system update will make all the necessary changes",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-39275"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008414"
},
{
"db": "CNVD",
"id": "CNVD-2022-03225"
},
{
"db": "VULHUB",
"id": "VHN-400791"
},
{
"db": "VULMON",
"id": "CVE-2021-39275"
},
{
"db": "PACKETSTORM",
"id": "165587"
},
{
"db": "PACKETSTORM",
"id": "166321"
},
{
"db": "PACKETSTORM",
"id": "169541"
},
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164307"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
}
],
"trust": 2.97
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-39275",
"trust": 4.7
},
{
"db": "SIEMENS",
"id": "SSA-685781",
"trust": 1.8
},
{
"db": "PACKETSTORM",
"id": "166321",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "165587",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "168072",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "169541",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008414",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-03225",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "168565",
"trust": 0.7
},
{
"db": "ICS CERT",
"id": "ICSA-22-167-06",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "164329",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "164318",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2021.3341",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.3",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3357",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3234",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3387",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.0850",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3250",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3544",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.5",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3148",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.7",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3591",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.0217",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.2",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.2978",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022042117",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021092301",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022011749",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021101101",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022060624",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022031528",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022032013",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022030119",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022012038",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022042295",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021091707",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022010632",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021101513",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021102602",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021101005",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022042538",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1098",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "169540",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-400791",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2021-39275",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "164307",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03225"
},
{
"db": "VULHUB",
"id": "VHN-400791"
},
{
"db": "VULMON",
"id": "CVE-2021-39275"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008414"
},
{
"db": "PACKETSTORM",
"id": "165587"
},
{
"db": "PACKETSTORM",
"id": "166321"
},
{
"db": "PACKETSTORM",
"id": "169541"
},
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164307"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1098"
},
{
"db": "NVD",
"id": "CVE-2021-39275"
}
]
},
"id": "VAR-202109-1803",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03225"
},
{
"db": "VULHUB",
"id": "VHN-400791"
}
],
"trust": 1.2207219
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03225"
}
]
},
"last_update_date": "2024-11-29T21:59:29.877000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "hitachi-sec-2022-111",
"trust": 0.8,
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"title": "Patch for Apache HTTP Server ap_escape_quotes Buffer Overflow Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/313446"
},
{
"title": "Apache HTTP Server Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=164677"
},
{
"title": "Red Hat: Moderate: httpd:2.4 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20220891 - Security Advisory"
},
{
"title": "Red Hat: CVE-2021-39275",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2021-39275"
},
{
"title": "Debian Security Advisories: DSA-4982-1 apache2 -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=93a29f7ecf9a6aaba79d3b3320aa4b85"
},
{
"title": "Arch Linux Issues: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2021-39275 log"
},
{
"title": "Hitachi Security Advisories: Vulnerability in Cosminexus HTTP Server and Hitachi Web Server",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories\u0026qid=hitachi-sec-2022-111"
},
{
"title": "Red Hat: Moderate: httpd24-httpd security and bug fix update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226753 - Security Advisory"
},
{
"title": "Brocade Security Advisories: CVE-2021-39275. ap_escape_quotes buffer overflow",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=brocade_security_advisories\u0026qid=8a2abdf2d185adc365552c461d65931f"
},
{
"title": "Amazon Linux AMI: ALAS-2021-1543",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2021-1543"
},
{
"title": "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20227143 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20227144 - Security Advisory"
},
{
"title": "Amazon Linux 2: ALAS2-2021-1716",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2-2021-1716"
},
{
"title": "Cisco: Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts\u0026qid=cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"title": "PROJET TUTEURE",
"trust": 0.1,
"url": "https://github.com/PierreChrd/py-projet-tut "
},
{
"title": "Tier 0\nTier 1\nTier 2",
"trust": 0.1,
"url": "https://github.com/Totes5706/TotesHTB "
},
{
"title": "Requirements\nvulnsearch-cve\nUsage\nvulnsearch\nUsage\nTest Sample",
"trust": 0.1,
"url": "https://github.com/kasem545/vulnsearch "
},
{
"title": "Skynet",
"trust": 0.1,
"url": "https://github.com/bioly230/THM_Skynet "
},
{
"title": "Shodan Search Script",
"trust": 0.1,
"url": "https://github.com/firatesatoglu/shodanSearch "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03225"
},
{
"db": "VULMON",
"id": "CVE-2021-39275"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008414"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1098"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-787",
"trust": 1.1
},
{
"problemtype": "Out-of-bounds writing (CWE-787) [NVD Evaluation ]",
"trust": 0.8
},
{
"problemtype": "CWE-120",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-400791"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008414"
},
{
"db": "NVD",
"id": "CVE-2021-39275"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"trust": 2.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-39275"
},
{
"trust": 1.9,
"url": "https://security.gentoo.org/glsa/202208-20"
},
{
"trust": 1.8,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf"
},
{
"trust": 1.8,
"url": "https://security.netapp.com/advisory/ntap-20211008-0004/"
},
{
"trust": 1.8,
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"trust": 1.8,
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html"
},
{
"trust": 1.2,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-apache-httpd-2.4.49-vwl69swq"
},
{
"trust": 1.2,
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"trust": 1.1,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/spbr6wuybjnachke65spl7tjohx7rhwd/"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/zncysr3bxt36fff4xtcpl3hdqk4vp45r/"
},
{
"trust": 1.0,
"url": "https://access.redhat.com/security/cve/cve-2021-39275"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/spbr6wuybjnachke65spl7tjohx7rhwd/"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/zncysr3bxt36fff4xtcpl3hdqk4vp45r/"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-34798"
},
{
"trust": 0.6,
"url": "httpd.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3cusers."
},
{
"trust": 0.6,
"url": "httpd-2.4.49-vwl69swq"
},
{
"trust": 0.6,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-apache-"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3cusers."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3cusers."
},
{
"trust": 0.6,
"url": "httpd.apache.org/security/vulnerabilities_24.html"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3cusers."
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022030119"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022031528"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/165587/red-hat-security-advisory-2022-0143-03.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/166321/red-hat-security-advisory-2022-0891-01.html"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022060624"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021101513"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022012038"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021102602"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022042538"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/169541/red-hat-security-advisory-2022-7143-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3357"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3234"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0217"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3250"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3591"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022010632"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/168072/gentoo-linux-security-advisory-202208-20.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.7"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164318/ubuntu-security-notice-usn-5090-3.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0850"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/6520016"
},
{
"trust": 0.6,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-167-06"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/168565/red-hat-security-advisory-2022-6753-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.2978"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.3"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.2"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.5"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022042295"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022011749"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/6493845"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021092301"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022042117"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3387"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3341"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164329/ubuntu-security-notice-usn-5090-4.html"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022032013"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3148"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3544"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021091707"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021101101"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/apache-http-server-four-vulnerabilities-36444"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021101005"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33193"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-36160"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-40438"
},
{
"trust": 0.3,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.3,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.3,
"url": "https://ubuntu.com/security/notices/usn-5090-1"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/errata/rhsa-2022:0891"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-34798"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-44790"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-44224"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-41524"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/787.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-167-06"
},
{
"trust": 0.1,
"url": "https://github.com/totes5706/toteshtb"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-44790"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-26691"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-26691"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:0143"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-45960"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33193"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-25313"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22823"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22822"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-36160"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22824"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22824"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22826"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22827"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22822"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-45960"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-41524"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22827"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22826"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-23990"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-46143"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:7143"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-25315"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-25314"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-44224"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22823"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22825"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-25236"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-25235"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23852"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-23852"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22825"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-46143"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22721"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-28614"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-31813"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-29404"
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-28615"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-30522"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-41773"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22719"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-30556"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-42013"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23943"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22720"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-26377"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-5090-2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/bugs/xxxxxx"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-5090-4"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-5090-3"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.6"
},
{
"trust": 0.1,
"url": "https://launchpad.net/bugs/1945311"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.18"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.46-4ubuntu1.3"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03225"
},
{
"db": "VULHUB",
"id": "VHN-400791"
},
{
"db": "VULMON",
"id": "CVE-2021-39275"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008414"
},
{
"db": "PACKETSTORM",
"id": "165587"
},
{
"db": "PACKETSTORM",
"id": "166321"
},
{
"db": "PACKETSTORM",
"id": "169541"
},
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164307"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1098"
},
{
"db": "NVD",
"id": "CVE-2021-39275"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-03225"
},
{
"db": "VULHUB",
"id": "VHN-400791"
},
{
"db": "VULMON",
"id": "CVE-2021-39275"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-008414"
},
{
"db": "PACKETSTORM",
"id": "165587"
},
{
"db": "PACKETSTORM",
"id": "166321"
},
{
"db": "PACKETSTORM",
"id": "169541"
},
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164307"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1098"
},
{
"db": "NVD",
"id": "CVE-2021-39275"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-03225"
},
{
"date": "2021-09-16T00:00:00",
"db": "VULHUB",
"id": "VHN-400791"
},
{
"date": "2021-09-16T00:00:00",
"db": "VULMON",
"id": "CVE-2021-39275"
},
{
"date": "2022-03-15T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-008414"
},
{
"date": "2022-01-17T16:53:40",
"db": "PACKETSTORM",
"id": "165587"
},
{
"date": "2022-03-15T15:50:26",
"db": "PACKETSTORM",
"id": "166321"
},
{
"date": "2022-10-27T13:05:26",
"db": "PACKETSTORM",
"id": "169541"
},
{
"date": "2022-08-15T16:02:48",
"db": "PACKETSTORM",
"id": "168072"
},
{
"date": "2021-09-28T15:13:59",
"db": "PACKETSTORM",
"id": "164307"
},
{
"date": "2021-09-29T14:50:01",
"db": "PACKETSTORM",
"id": "164329"
},
{
"date": "2021-09-28T15:23:06",
"db": "PACKETSTORM",
"id": "164318"
},
{
"date": "2021-09-16T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202109-1098"
},
{
"date": "2021-09-16T15:15:07.580000",
"db": "NVD",
"id": "CVE-2021-39275"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-03225"
},
{
"date": "2022-10-05T00:00:00",
"db": "VULHUB",
"id": "VHN-400791"
},
{
"date": "2023-11-07T00:00:00",
"db": "VULMON",
"id": "CVE-2021-39275"
},
{
"date": "2022-03-15T02:59:00",
"db": "JVNDB",
"id": "JVNDB-2021-008414"
},
{
"date": "2022-10-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202109-1098"
},
{
"date": "2023-11-07T03:37:38.873000",
"db": "NVD",
"id": "CVE-2021-39275"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164307"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1098"
}
],
"trust": 1.0
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0HTTP\u00a0Server\u00a0 of \u00a0ap_escape_quotes()\u00a0 Vulnerability written beyond the end of the buffer in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-008414"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202109-1098"
}
],
"trust": 0.6
}
}
var-202109-1804
Vulnerability from variot
A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). The server is fast, reliable and extensible through a simple API.
Apache HTTP Server has a denial of service vulnerability in versions 2.4.30 to 2.4.48, which is caused by the network system or product not properly validating the input data. An out-of-bounds read in mod_proxy_uwsgi of httpd allows a remote unauthenticated malicious user to crash the service through a crafted request. The highest threat from this vulnerability is to system availability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: httpd24-httpd security and bug fix update Advisory ID: RHSA-2022:6753-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2022:6753 Issue date: 2022-09-29 CVE Names: CVE-2021-33193 CVE-2021-34798 CVE-2021-36160 CVE-2021-39275 CVE-2021-44224 CVE-2022-22719 CVE-2022-22721 CVE-2022-23943 CVE-2022-26377 CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 CVE-2022-30522 CVE-2022-30556 CVE-2022-31813 =====================================================================
- Summary:
An update for httpd24-httpd is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
Security Fix(es):
-
httpd: mod_sed: Read/write beyond bounds (CVE-2022-23943)
-
httpd: Request splitting via HTTP/2 method injection and mod_proxy (CVE-2021-33193)
-
httpd: NULL pointer dereference via malformed requests (CVE-2021-34798)
-
httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path (CVE-2021-36160)
-
httpd: Out-of-bounds write in ap_escape_quotes() via malicious input (CVE-2021-39275)
-
httpd: possible NULL dereference or SSRF in forward proxy configurations (CVE-2021-44224)
-
httpd: mod_lua: Use of uninitialized value of in r:parsebody (CVE-2022-22719)
-
httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (CVE-2022-22721)
-
httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377)
-
httpd: mod_lua: DoS in r:parsebody (CVE-2022-29404)
-
httpd: mod_sed: DoS vulnerability (CVE-2022-30522)
-
httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism (CVE-2022-31813)
-
httpd: out-of-bounds read via ap_rwrite() (CVE-2022-28614)
-
httpd: out-of-bounds read in ap_strcmp_match() (CVE-2022-28615)
-
httpd: mod_lua: Information disclosure with websockets (CVE-2022-30556)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- proxy rewrite to unix socket fails with CVE-2021-40438 fix (BZ#2022319)
Additional changes:
- To fix CVE-2022-29404, the default value for the "LimitRequestBody" directive in the Apache HTTP Server has been changed from 0 (unlimited) to 1 GiB.
On systems where the value of "LimitRequestBody" is not explicitly specified in an httpd configuration file, updating the httpd package sets "LimitRequestBody" to the default value of 1 GiB. As a consequence, if the total size of the HTTP request body exceeds this 1 GiB default limit, httpd returns the 413 Request Entity Too Large error code.
If the new default allowed size of an HTTP request message body is insufficient for your use case, update your httpd configuration files within the respective context (server, per-directory, per-file, or per-location) and set your preferred limit in bytes. For example, to set a new 2 GiB limit, use:
LimitRequestBody 2147483648
Systems already configured to use any explicit value for the "LimitRequestBody" directive are unaffected by this change.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon will be restarted automatically.
- Bugs fixed (https://bugzilla.redhat.com/):
1966728 - CVE-2021-33193 httpd: Request splitting via HTTP/2 method injection and mod_proxy 2005119 - CVE-2021-39275 httpd: Out-of-bounds write in ap_escape_quotes() via malicious input 2005124 - CVE-2021-36160 httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path 2005128 - CVE-2021-34798 httpd: NULL pointer dereference via malformed requests 2034672 - CVE-2021-44224 httpd: possible NULL dereference or SSRF in forward proxy configurations 2064319 - CVE-2022-23943 httpd: mod_sed: Read/write beyond bounds 2064320 - CVE-2022-22721 httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody 2064322 - CVE-2022-22719 httpd: mod_lua: Use of uninitialized value of in r:parsebody 2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request smuggling 2095002 - CVE-2022-28614 httpd: out-of-bounds read via ap_rwrite() 2095006 - CVE-2022-28615 httpd: out-of-bounds read in ap_strcmp_match() 2095012 - CVE-2022-29404 httpd: mod_lua: DoS in r:parsebody 2095015 - CVE-2022-30522 httpd: mod_sed: DoS vulnerability 2095018 - CVE-2022-30556 httpd: mod_lua: Information disclosure with websockets 2095020 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism
- Package List:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source: httpd24-httpd-2.4.34-23.el7.5.src.rpm
noarch: httpd24-httpd-manual-2.4.34-23.el7.5.noarch.rpm
ppc64le: httpd24-httpd-2.4.34-23.el7.5.ppc64le.rpm httpd24-httpd-debuginfo-2.4.34-23.el7.5.ppc64le.rpm httpd24-httpd-devel-2.4.34-23.el7.5.ppc64le.rpm httpd24-httpd-tools-2.4.34-23.el7.5.ppc64le.rpm httpd24-mod_ldap-2.4.34-23.el7.5.ppc64le.rpm httpd24-mod_proxy_html-2.4.34-23.el7.5.ppc64le.rpm httpd24-mod_session-2.4.34-23.el7.5.ppc64le.rpm httpd24-mod_ssl-2.4.34-23.el7.5.ppc64le.rpm
s390x: httpd24-httpd-2.4.34-23.el7.5.s390x.rpm httpd24-httpd-debuginfo-2.4.34-23.el7.5.s390x.rpm httpd24-httpd-devel-2.4.34-23.el7.5.s390x.rpm httpd24-httpd-tools-2.4.34-23.el7.5.s390x.rpm httpd24-mod_ldap-2.4.34-23.el7.5.s390x.rpm httpd24-mod_proxy_html-2.4.34-23.el7.5.s390x.rpm httpd24-mod_session-2.4.34-23.el7.5.s390x.rpm httpd24-mod_ssl-2.4.34-23.el7.5.s390x.rpm
x86_64: httpd24-httpd-2.4.34-23.el7.5.x86_64.rpm httpd24-httpd-debuginfo-2.4.34-23.el7.5.x86_64.rpm httpd24-httpd-devel-2.4.34-23.el7.5.x86_64.rpm httpd24-httpd-tools-2.4.34-23.el7.5.x86_64.rpm httpd24-mod_ldap-2.4.34-23.el7.5.x86_64.rpm httpd24-mod_proxy_html-2.4.34-23.el7.5.x86_64.rpm httpd24-mod_session-2.4.34-23.el7.5.x86_64.rpm httpd24-mod_ssl-2.4.34-23.el7.5.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source: httpd24-httpd-2.4.34-23.el7.5.src.rpm
noarch: httpd24-httpd-manual-2.4.34-23.el7.5.noarch.rpm
x86_64: httpd24-httpd-2.4.34-23.el7.5.x86_64.rpm httpd24-httpd-debuginfo-2.4.34-23.el7.5.x86_64.rpm httpd24-httpd-devel-2.4.34-23.el7.5.x86_64.rpm httpd24-httpd-tools-2.4.34-23.el7.5.x86_64.rpm httpd24-mod_ldap-2.4.34-23.el7.5.x86_64.rpm httpd24-mod_proxy_html-2.4.34-23.el7.5.x86_64.rpm httpd24-mod_session-2.4.34-23.el7.5.x86_64.rpm httpd24-mod_ssl-2.4.34-23.el7.5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2021-33193 https://access.redhat.com/security/cve/CVE-2021-34798 https://access.redhat.com/security/cve/CVE-2021-36160 https://access.redhat.com/security/cve/CVE-2021-39275 https://access.redhat.com/security/cve/CVE-2021-44224 https://access.redhat.com/security/cve/CVE-2022-22719 https://access.redhat.com/security/cve/CVE-2022-22721 https://access.redhat.com/security/cve/CVE-2022-23943 https://access.redhat.com/security/cve/CVE-2022-26377 https://access.redhat.com/security/cve/CVE-2022-28614 https://access.redhat.com/security/cve/CVE-2022-28615 https://access.redhat.com/security/cve/CVE-2022-29404 https://access.redhat.com/security/cve/CVE-2022-30522 https://access.redhat.com/security/cve/CVE-2022-30556 https://access.redhat.com/security/cve/CVE-2022-31813 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/articles/6975397
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYzXoqNzjgjWX9erEAQhSKA//d1V5w3Dbdd0R1QxlXMIweLpztJrkXpmN EY7WAFIMy0MG64KNjZFF5i4USpUlCm/tZX/fHZas4JjhZBqLxNSqsOdPeynDqp+8 qZnnGiIhyO37S7x5v89VSaWngLpTi2f0d7RmJ05VJzAP8Q0a9cTqtIZiCsM18tTg BdoD1M/VWUhtPWCzgXiQVI8yF44IOenN2095OCv1Vxc3kiwQdbWcd7Uqz2TgVQ1m qeqh9AHqaDTwHVM9Ipj5oGp1Ue5zsyAEd77ClBCAzP3p7bWucfTErDrUSE3/hkDm H8BlPVPaOsRv0poFvvCODQhccC2bFc3uxoKzfSx+/WwkrU7vO/5/npmOfcwKfvBQ FYqhqADiUcfpJGENligpNAHLI+Pijrl2Tfwl0XbDa8+7KXQ0T75VG3Gq7dFlPcUm 965hFguLI0es2FpGcJldEqsc1XJxdkPmzTYhqDWLLED5X72dwQdtKwhMaFFVctK+ KyspQqaci6bVr9ETF89r0ZBmnxXjSIY7/ijySy0KnldW25t+ZGmLV4pM3CYb7ZVz qEm9I/oRD0JB/4C5Bk9j5nWF3gzE2MhYfeepqINGIbfvNPiP8G2LFL/CEz46isF9 rFUT/az/p5mdNEwwe5GhEgLkpk0fhcZiAtJ4bGRcJ9YRURh5rrMPtXmXP5THoMau 3VmN11LnfT4= =pvMD -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce .
For the oldstable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u6.
For the stable distribution (bullseye), these problems have been fixed in version 2.4.51-1~deb11u1.
We recommend that you upgrade your apache2 packages.
For the detailed security status of apache2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/apache2
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmFgr44ACgkQEMKTtsN8 TjbophAAiZ+fhF2r8BUbQkL8BhpfqjA+hVsp9WEMTn8Gq6kiW0wLvK3jWPM301Ou D4gHqKmFPmYNC1KBOyk/lJdxyD7iTUweUyLi3WXzxhIDMx0kxkRw1oXlyCHzIqSJ M277bgk32h2cDCbsXjrN/8agKPcKgfwDqiyf/igfEq6V8OB2zVvJPKVFq45n54+q 4FPXSyx1g2u5ewSeXbU2uHDej6Qborui4osDdbwx8CT6aETi0cIXJ8RbXF3PUCHG 5DzZagnRq6GumPsl01jcPu7b9Ck8MlkxMSG3FRsSIJVkwpsQ2C34ywIJkFlzUZZh jhdVUrfbyfLpSdcPcipAAjl9I6gDqa9SFdMRK7ixCpQ6iTiVeDZdJ8pA4jnSweNQ THik07di9R0juX0p7peQiIyBKrEf7Y3WSvLOn0SBKXvZnzc/72rH2nP5FclsgCsV TWxptziGridC43KB8/tDJAAOXVF2lzylzF70V/UGTNo1jk9w3/p6btU1iuzKspyY Y4aPZla3DImI8mezrgFrGYNg7bZYLKuJyGDADKih2sUQpzmDZ6MJxKAE3NLRWyQa 7cCJdoNR9yVqytEw1Y/ZRXAXWfMb3Y1ts2EqR8hzLQgMYb0JC58cLMG3T0RgyPoO A4CTIoYpK1WnsykAE8M4XFrnOW3lrtse6T8N/dTVMuodElAEhc0= =/At6 -----END PGP SIGNATURE----- . This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.
This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Service Pack 10, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202208-20
https://security.gentoo.org/
Severity: High Title: Apache HTTPD: Multiple Vulnerabilities Date: August 14, 2022 Bugs: #813429, #816399, #816864, #829722, #835131, #850622 ID: 202208-20
Synopsis
Multiple vulnerabilities have been discovered in Apache Webserver, the worst of which could result in remote code execution. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All Apache HTTPD users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/apache-2.4.54"
All Apache HTTPD tools users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/apache-tools-2.4.54"
References
[ 1 ] CVE-2021-33193 https://nvd.nist.gov/vuln/detail/CVE-2021-33193 [ 2 ] CVE-2021-34798 https://nvd.nist.gov/vuln/detail/CVE-2021-34798 [ 3 ] CVE-2021-36160 https://nvd.nist.gov/vuln/detail/CVE-2021-36160 [ 4 ] CVE-2021-39275 https://nvd.nist.gov/vuln/detail/CVE-2021-39275 [ 5 ] CVE-2021-40438 https://nvd.nist.gov/vuln/detail/CVE-2021-40438 [ 6 ] CVE-2021-41524 https://nvd.nist.gov/vuln/detail/CVE-2021-41524 [ 7 ] CVE-2021-41773 https://nvd.nist.gov/vuln/detail/CVE-2021-41773 [ 8 ] CVE-2021-42013 https://nvd.nist.gov/vuln/detail/CVE-2021-42013 [ 9 ] CVE-2021-44224 https://nvd.nist.gov/vuln/detail/CVE-2021-44224 [ 10 ] CVE-2021-44790 https://nvd.nist.gov/vuln/detail/CVE-2021-44790 [ 11 ] CVE-2022-22719 https://nvd.nist.gov/vuln/detail/CVE-2022-22719 [ 12 ] CVE-2022-22720 https://nvd.nist.gov/vuln/detail/CVE-2022-22720 [ 13 ] CVE-2022-22721 https://nvd.nist.gov/vuln/detail/CVE-2022-22721 [ 14 ] CVE-2022-23943 https://nvd.nist.gov/vuln/detail/CVE-2022-23943 [ 15 ] CVE-2022-26377 https://nvd.nist.gov/vuln/detail/CVE-2022-26377 [ 16 ] CVE-2022-28614 https://nvd.nist.gov/vuln/detail/CVE-2022-28614 [ 17 ] CVE-2022-28615 https://nvd.nist.gov/vuln/detail/CVE-2022-28615 [ 18 ] CVE-2022-29404 https://nvd.nist.gov/vuln/detail/CVE-2022-29404 [ 19 ] CVE-2022-30522 https://nvd.nist.gov/vuln/detail/CVE-2022-30522 [ 20 ] CVE-2022-30556 https://nvd.nist.gov/vuln/detail/CVE-2022-30556 [ 21 ] CVE-2022-31813 https://nvd.nist.gov/vuln/detail/CVE-2022-31813
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202208-20
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5 . ========================================================================== Ubuntu Security Notice USN-5090-3 September 28, 2021
apache2 regression
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
USN-5090-1 introduced a regression in Apache HTTP Server. One of the upstream fixes introduced a regression in UDS URIs. This update fixes the problem.
Original advisory details:
James Kettle discovered that the Apache HTTP Server HTTP/2 module incorrectly handled certain crafted methods. A remote attacker could possibly use this issue to perform request splitting or cache poisoning attacks. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. (CVE-2021-34798) Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly handled certain request uri-paths. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04. If the server was configured with third-party modules, a remote attacker could use this issue to cause the server to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-39275) It was discovered that the Apache mod_proxy module incorrectly handled certain request uri-paths. A remote attacker could possibly use this issue to cause the server to forward requests to arbitrary origin servers. (CVE-2021-40438)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 21.04: apache2 2.4.46-4ubuntu1.3 apache2-bin 2.4.46-4ubuntu1.3
Ubuntu 20.04 LTS: apache2 2.4.41-4ubuntu3.6 apache2-bin 2.4.41-4ubuntu3.6
Ubuntu 18.04 LTS: apache2 2.4.29-1ubuntu4.18 apache2-bin 2.4.29-1ubuntu4.18
In general, a standard system update will make all the necessary changes
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202109-1804",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "instantis enterprisetrack",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.2"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "34"
},
{
"model": "clustered data ontap",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "http server",
"scope": "gte",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.30"
},
{
"model": "communications cloud native core network function cloud native environment",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "1.10.0"
},
{
"model": "storagegrid",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.3.0"
},
{
"model": "http server",
"scope": "lte",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.48"
},
{
"model": "peoplesoft enterprise peopletools",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.58"
},
{
"model": "instantis enterprisetrack",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.3"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.4.0"
},
{
"model": "instantis enterprisetrack",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.1"
},
{
"model": "zfs storage appliance kit",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.8"
},
{
"model": "enterprise manager base platform",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "13.5.0.0"
},
{
"model": "enterprise manager base platform",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "13.4.0.0"
},
{
"model": "cloud backup",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "35"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "11.0"
},
{
"model": "brocade fabric operating system",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": null
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "http server",
"scope": "gte",
"trust": 0.6,
"vendor": "apache",
"version": "2.4.30,\u003c=2.4.48"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03205"
},
{
"db": "NVD",
"id": "CVE-2021-36160"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "168565"
},
{
"db": "PACKETSTORM",
"id": "169540"
},
{
"db": "PACKETSTORM",
"id": "169541"
}
],
"trust": 0.3
},
"cve": "CVE-2021-36160",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2021-36160",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CNVD-2022-03205",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "VHN-397448",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2021-36160",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-36160",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2022-03205",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202109-1113",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-397448",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2021-36160",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03205"
},
{
"db": "VULHUB",
"id": "VHN-397448"
},
{
"db": "VULMON",
"id": "CVE-2021-36160"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1113"
},
{
"db": "NVD",
"id": "CVE-2021-36160"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). The server is fast, reliable and extensible through a simple API. \n\r\n\r\nApache HTTP Server has a denial of service vulnerability in versions 2.4.30 to 2.4.48, which is caused by the network system or product not properly validating the input data. An out-of-bounds read in mod_proxy_uwsgi of httpd allows a remote unauthenticated malicious user to crash the service through a crafted request. The highest threat from this vulnerability is to system availability. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: httpd24-httpd security and bug fix update\nAdvisory ID: RHSA-2022:6753-01\nProduct: Red Hat Software Collections\nAdvisory URL: https://access.redhat.com/errata/RHSA-2022:6753\nIssue date: 2022-09-29\nCVE Names: CVE-2021-33193 CVE-2021-34798 CVE-2021-36160 \n CVE-2021-39275 CVE-2021-44224 CVE-2022-22719 \n CVE-2022-22721 CVE-2022-23943 CVE-2022-26377 \n CVE-2022-28614 CVE-2022-28615 CVE-2022-29404 \n CVE-2022-30522 CVE-2022-30556 CVE-2022-31813 \n=====================================================================\n\n1. Summary:\n\nAn update for httpd24-httpd is now available for Red Hat Software\nCollections. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64\nRed Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64\n\n3. \n\nSecurity Fix(es):\n\n* httpd: mod_sed: Read/write beyond bounds (CVE-2022-23943)\n\n* httpd: Request splitting via HTTP/2 method injection and mod_proxy\n(CVE-2021-33193)\n\n* httpd: NULL pointer dereference via malformed requests (CVE-2021-34798)\n\n* httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path\n(CVE-2021-36160)\n\n* httpd: Out-of-bounds write in ap_escape_quotes() via malicious input\n(CVE-2021-39275)\n\n* httpd: possible NULL dereference or SSRF in forward proxy configurations\n(CVE-2021-44224)\n\n* httpd: mod_lua: Use of uninitialized value of in r:parsebody\n(CVE-2022-22719)\n\n* httpd: core: Possible buffer overflow with very large or unlimited\nLimitXMLRequestBody (CVE-2022-22721)\n\n* httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377)\n\n* httpd: mod_lua: DoS in r:parsebody (CVE-2022-29404)\n\n* httpd: mod_sed: DoS vulnerability (CVE-2022-30522)\n\n* httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism\n(CVE-2022-31813)\n\n* httpd: out-of-bounds read via ap_rwrite() (CVE-2022-28614)\n\n* httpd: out-of-bounds read in ap_strcmp_match() (CVE-2022-28615)\n\n* httpd: mod_lua: Information disclosure with websockets (CVE-2022-30556)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nBug Fix(es):\n\n* proxy rewrite to unix socket fails with CVE-2021-40438 fix (BZ#2022319)\n\nAdditional changes:\n\n* To fix CVE-2022-29404, the default value for the \"LimitRequestBody\"\ndirective in the Apache HTTP Server has been changed from 0 (unlimited) to\n1 GiB. \n\nOn systems where the value of \"LimitRequestBody\" is not explicitly\nspecified in an httpd configuration file, updating the httpd package sets\n\"LimitRequestBody\" to the default value of 1 GiB. As a consequence, if the\ntotal size of the HTTP request body exceeds this 1 GiB default limit, httpd\nreturns the 413 Request Entity Too Large error code. \n\nIf the new default allowed size of an HTTP request message body is\ninsufficient for your use case, update your httpd configuration files\nwithin the respective context (server, per-directory, per-file, or\nper-location) and set your preferred limit in bytes. For example, to set a\nnew 2 GiB limit, use:\n\nLimitRequestBody 2147483648\n\nSystems already configured to use any explicit value for the\n\"LimitRequestBody\" directive are unaffected by this change. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted\nautomatically. \n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1966728 - CVE-2021-33193 httpd: Request splitting via HTTP/2 method injection and mod_proxy\n2005119 - CVE-2021-39275 httpd: Out-of-bounds write in ap_escape_quotes() via malicious input\n2005124 - CVE-2021-36160 httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path\n2005128 - CVE-2021-34798 httpd: NULL pointer dereference via malformed requests\n2034672 - CVE-2021-44224 httpd: possible NULL dereference or SSRF in forward proxy configurations\n2064319 - CVE-2022-23943 httpd: mod_sed: Read/write beyond bounds\n2064320 - CVE-2022-22721 httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody\n2064322 - CVE-2022-22719 httpd: mod_lua: Use of uninitialized value of in r:parsebody\n2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request smuggling\n2095002 - CVE-2022-28614 httpd: out-of-bounds read via ap_rwrite()\n2095006 - CVE-2022-28615 httpd: out-of-bounds read in ap_strcmp_match()\n2095012 - CVE-2022-29404 httpd: mod_lua: DoS in r:parsebody\n2095015 - CVE-2022-30522 httpd: mod_sed: DoS vulnerability\n2095018 - CVE-2022-30556 httpd: mod_lua: Information disclosure with websockets\n2095020 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism\n\n6. Package List:\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):\n\nSource:\nhttpd24-httpd-2.4.34-23.el7.5.src.rpm\n\nnoarch:\nhttpd24-httpd-manual-2.4.34-23.el7.5.noarch.rpm\n\nppc64le:\nhttpd24-httpd-2.4.34-23.el7.5.ppc64le.rpm\nhttpd24-httpd-debuginfo-2.4.34-23.el7.5.ppc64le.rpm\nhttpd24-httpd-devel-2.4.34-23.el7.5.ppc64le.rpm\nhttpd24-httpd-tools-2.4.34-23.el7.5.ppc64le.rpm\nhttpd24-mod_ldap-2.4.34-23.el7.5.ppc64le.rpm\nhttpd24-mod_proxy_html-2.4.34-23.el7.5.ppc64le.rpm\nhttpd24-mod_session-2.4.34-23.el7.5.ppc64le.rpm\nhttpd24-mod_ssl-2.4.34-23.el7.5.ppc64le.rpm\n\ns390x:\nhttpd24-httpd-2.4.34-23.el7.5.s390x.rpm\nhttpd24-httpd-debuginfo-2.4.34-23.el7.5.s390x.rpm\nhttpd24-httpd-devel-2.4.34-23.el7.5.s390x.rpm\nhttpd24-httpd-tools-2.4.34-23.el7.5.s390x.rpm\nhttpd24-mod_ldap-2.4.34-23.el7.5.s390x.rpm\nhttpd24-mod_proxy_html-2.4.34-23.el7.5.s390x.rpm\nhttpd24-mod_session-2.4.34-23.el7.5.s390x.rpm\nhttpd24-mod_ssl-2.4.34-23.el7.5.s390x.rpm\n\nx86_64:\nhttpd24-httpd-2.4.34-23.el7.5.x86_64.rpm\nhttpd24-httpd-debuginfo-2.4.34-23.el7.5.x86_64.rpm\nhttpd24-httpd-devel-2.4.34-23.el7.5.x86_64.rpm\nhttpd24-httpd-tools-2.4.34-23.el7.5.x86_64.rpm\nhttpd24-mod_ldap-2.4.34-23.el7.5.x86_64.rpm\nhttpd24-mod_proxy_html-2.4.34-23.el7.5.x86_64.rpm\nhttpd24-mod_session-2.4.34-23.el7.5.x86_64.rpm\nhttpd24-mod_ssl-2.4.34-23.el7.5.x86_64.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nhttpd24-httpd-2.4.34-23.el7.5.src.rpm\n\nnoarch:\nhttpd24-httpd-manual-2.4.34-23.el7.5.noarch.rpm\n\nx86_64:\nhttpd24-httpd-2.4.34-23.el7.5.x86_64.rpm\nhttpd24-httpd-debuginfo-2.4.34-23.el7.5.x86_64.rpm\nhttpd24-httpd-devel-2.4.34-23.el7.5.x86_64.rpm\nhttpd24-httpd-tools-2.4.34-23.el7.5.x86_64.rpm\nhttpd24-mod_ldap-2.4.34-23.el7.5.x86_64.rpm\nhttpd24-mod_proxy_html-2.4.34-23.el7.5.x86_64.rpm\nhttpd24-mod_session-2.4.34-23.el7.5.x86_64.rpm\nhttpd24-mod_ssl-2.4.34-23.el7.5.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-33193\nhttps://access.redhat.com/security/cve/CVE-2021-34798\nhttps://access.redhat.com/security/cve/CVE-2021-36160\nhttps://access.redhat.com/security/cve/CVE-2021-39275\nhttps://access.redhat.com/security/cve/CVE-2021-44224\nhttps://access.redhat.com/security/cve/CVE-2022-22719\nhttps://access.redhat.com/security/cve/CVE-2022-22721\nhttps://access.redhat.com/security/cve/CVE-2022-23943\nhttps://access.redhat.com/security/cve/CVE-2022-26377\nhttps://access.redhat.com/security/cve/CVE-2022-28614\nhttps://access.redhat.com/security/cve/CVE-2022-28615\nhttps://access.redhat.com/security/cve/CVE-2022-29404\nhttps://access.redhat.com/security/cve/CVE-2022-30522\nhttps://access.redhat.com/security/cve/CVE-2022-30556\nhttps://access.redhat.com/security/cve/CVE-2022-31813\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/articles/6975397\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2022 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYzXoqNzjgjWX9erEAQhSKA//d1V5w3Dbdd0R1QxlXMIweLpztJrkXpmN\nEY7WAFIMy0MG64KNjZFF5i4USpUlCm/tZX/fHZas4JjhZBqLxNSqsOdPeynDqp+8\nqZnnGiIhyO37S7x5v89VSaWngLpTi2f0d7RmJ05VJzAP8Q0a9cTqtIZiCsM18tTg\nBdoD1M/VWUhtPWCzgXiQVI8yF44IOenN2095OCv1Vxc3kiwQdbWcd7Uqz2TgVQ1m\nqeqh9AHqaDTwHVM9Ipj5oGp1Ue5zsyAEd77ClBCAzP3p7bWucfTErDrUSE3/hkDm\nH8BlPVPaOsRv0poFvvCODQhccC2bFc3uxoKzfSx+/WwkrU7vO/5/npmOfcwKfvBQ\nFYqhqADiUcfpJGENligpNAHLI+Pijrl2Tfwl0XbDa8+7KXQ0T75VG3Gq7dFlPcUm\n965hFguLI0es2FpGcJldEqsc1XJxdkPmzTYhqDWLLED5X72dwQdtKwhMaFFVctK+\nKyspQqaci6bVr9ETF89r0ZBmnxXjSIY7/ijySy0KnldW25t+ZGmLV4pM3CYb7ZVz\nqEm9I/oRD0JB/4C5Bk9j5nWF3gzE2MhYfeepqINGIbfvNPiP8G2LFL/CEz46isF9\nrFUT/az/p5mdNEwwe5GhEgLkpk0fhcZiAtJ4bGRcJ9YRURh5rrMPtXmXP5THoMau\n3VmN11LnfT4=\n=pvMD\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. \n\nFor the oldstable distribution (buster), these problems have been fixed\nin version 2.4.38-3+deb10u6. \n\nFor the stable distribution (bullseye), these problems have been fixed in\nversion 2.4.51-1~deb11u1. \n\nWe recommend that you upgrade your apache2 packages. \n\nFor the detailed security status of apache2 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/apache2\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmFgr44ACgkQEMKTtsN8\nTjbophAAiZ+fhF2r8BUbQkL8BhpfqjA+hVsp9WEMTn8Gq6kiW0wLvK3jWPM301Ou\nD4gHqKmFPmYNC1KBOyk/lJdxyD7iTUweUyLi3WXzxhIDMx0kxkRw1oXlyCHzIqSJ\nM277bgk32h2cDCbsXjrN/8agKPcKgfwDqiyf/igfEq6V8OB2zVvJPKVFq45n54+q\n4FPXSyx1g2u5ewSeXbU2uHDej6Qborui4osDdbwx8CT6aETi0cIXJ8RbXF3PUCHG\n5DzZagnRq6GumPsl01jcPu7b9Ck8MlkxMSG3FRsSIJVkwpsQ2C34ywIJkFlzUZZh\njhdVUrfbyfLpSdcPcipAAjl9I6gDqa9SFdMRK7ixCpQ6iTiVeDZdJ8pA4jnSweNQ\nTHik07di9R0juX0p7peQiIyBKrEf7Y3WSvLOn0SBKXvZnzc/72rH2nP5FclsgCsV\nTWxptziGridC43KB8/tDJAAOXVF2lzylzF70V/UGTNo1jk9w3/p6btU1iuzKspyY\nY4aPZla3DImI8mezrgFrGYNg7bZYLKuJyGDADKih2sUQpzmDZ6MJxKAE3NLRWyQa\n7cCJdoNR9yVqytEw1Y/ZRXAXWfMb3Y1ts2EqR8hzLQgMYb0JC58cLMG3T0RgyPoO\nA4CTIoYpK1WnsykAE8M4XFrnOW3lrtse6T8N/dTVMuodElAEhc0=\n=/At6\n-----END PGP SIGNATURE-----\n. This software, such as Apache HTTP Server, is\ncommon to multiple JBoss middleware products, and is packaged under Red Hat\nJBoss Core Services to allow for faster distribution of updates, and for a\nmore consistent update experience. \n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51\nserves as a replacement for Red Hat JBoss Core Services Apache HTTP Server\n2.4.37 Service Pack 10, and includes bug fixes and enhancements, which are\ndocumented in the Release Notes document linked to in the References. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202208-20\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: High\n Title: Apache HTTPD: Multiple Vulnerabilities\n Date: August 14, 2022\n Bugs: #813429, #816399, #816864, #829722, #835131, #850622\n ID: 202208-20\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n=======\nMultiple vulnerabilities have been discovered in Apache Webserver, the\nworst of which could result in remote code execution. Please\nreview the CVE identifiers referenced below for details. \n\nImpact\n=====\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n=========\nThere is no known workaround at this time. \n\nResolution\n=========\nAll Apache HTTPD users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=www-servers/apache-2.4.54\"\n\nAll Apache HTTPD tools users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=app-admin/apache-tools-2.4.54\"\n\nReferences\n=========\n[ 1 ] CVE-2021-33193\n https://nvd.nist.gov/vuln/detail/CVE-2021-33193\n[ 2 ] CVE-2021-34798\n https://nvd.nist.gov/vuln/detail/CVE-2021-34798\n[ 3 ] CVE-2021-36160\n https://nvd.nist.gov/vuln/detail/CVE-2021-36160\n[ 4 ] CVE-2021-39275\n https://nvd.nist.gov/vuln/detail/CVE-2021-39275\n[ 5 ] CVE-2021-40438\n https://nvd.nist.gov/vuln/detail/CVE-2021-40438\n[ 6 ] CVE-2021-41524\n https://nvd.nist.gov/vuln/detail/CVE-2021-41524\n[ 7 ] CVE-2021-41773\n https://nvd.nist.gov/vuln/detail/CVE-2021-41773\n[ 8 ] CVE-2021-42013\n https://nvd.nist.gov/vuln/detail/CVE-2021-42013\n[ 9 ] CVE-2021-44224\n https://nvd.nist.gov/vuln/detail/CVE-2021-44224\n[ 10 ] CVE-2021-44790\n https://nvd.nist.gov/vuln/detail/CVE-2021-44790\n[ 11 ] CVE-2022-22719\n https://nvd.nist.gov/vuln/detail/CVE-2022-22719\n[ 12 ] CVE-2022-22720\n https://nvd.nist.gov/vuln/detail/CVE-2022-22720\n[ 13 ] CVE-2022-22721\n https://nvd.nist.gov/vuln/detail/CVE-2022-22721\n[ 14 ] CVE-2022-23943\n https://nvd.nist.gov/vuln/detail/CVE-2022-23943\n[ 15 ] CVE-2022-26377\n https://nvd.nist.gov/vuln/detail/CVE-2022-26377\n[ 16 ] CVE-2022-28614\n https://nvd.nist.gov/vuln/detail/CVE-2022-28614\n[ 17 ] CVE-2022-28615\n https://nvd.nist.gov/vuln/detail/CVE-2022-28615\n[ 18 ] CVE-2022-29404\n https://nvd.nist.gov/vuln/detail/CVE-2022-29404\n[ 19 ] CVE-2022-30522\n https://nvd.nist.gov/vuln/detail/CVE-2022-30522\n[ 20 ] CVE-2022-30556\n https://nvd.nist.gov/vuln/detail/CVE-2022-30556\n[ 21 ] CVE-2022-31813\n https://nvd.nist.gov/vuln/detail/CVE-2022-31813\n\nAvailability\n===========\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202208-20\n\nConcerns?\n========\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n======\nCopyright 2022 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. ==========================================================================\nUbuntu Security Notice USN-5090-3\nSeptember 28, 2021\n\napache2 regression\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 21.04\n- Ubuntu 20.04 LTS\n- Ubuntu 18.04 LTS\n\nSummary:\n\nUSN-5090-1 introduced a regression in Apache HTTP Server. One of the upstream\nfixes introduced a regression in UDS URIs. This update fixes the problem. \n\nOriginal advisory details:\n\n James Kettle discovered that the Apache HTTP Server HTTP/2 module\n incorrectly handled certain crafted methods. A remote attacker could\n possibly use this issue to perform request splitting or cache poisoning\n attacks. A remote attacker could possibly use this issue to\n cause the server to crash, resulting in a denial of service. \n (CVE-2021-34798)\n Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly\n handled certain request uri-paths. A remote attacker could possibly use\n this issue to cause the server to crash, resulting in a denial of service. \n This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04. If the server was configured with third-party modules, a remote\n attacker could use this issue to cause the server to crash, resulting in a\n denial of service, or possibly execute arbitrary code. (CVE-2021-39275)\n It was discovered that the Apache mod_proxy module incorrectly handled\n certain request uri-paths. A remote attacker could possibly use this issue\n to cause the server to forward requests to arbitrary origin servers. \n (CVE-2021-40438)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 21.04:\n apache2 2.4.46-4ubuntu1.3\n apache2-bin 2.4.46-4ubuntu1.3\n\nUbuntu 20.04 LTS:\n apache2 2.4.41-4ubuntu3.6\n apache2-bin 2.4.41-4ubuntu3.6\n\nUbuntu 18.04 LTS:\n apache2 2.4.29-1ubuntu4.18\n apache2-bin 2.4.29-1ubuntu4.18\n\nIn general, a standard system update will make all the necessary changes",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-36160"
},
{
"db": "CNVD",
"id": "CNVD-2022-03205"
},
{
"db": "VULHUB",
"id": "VHN-397448"
},
{
"db": "VULMON",
"id": "CVE-2021-36160"
},
{
"db": "PACKETSTORM",
"id": "168565"
},
{
"db": "PACKETSTORM",
"id": "169132"
},
{
"db": "PACKETSTORM",
"id": "169540"
},
{
"db": "PACKETSTORM",
"id": "169541"
},
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-36160",
"trust": 3.2
},
{
"db": "PACKETSTORM",
"id": "168072",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "168565",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "169541",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-03205",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1113",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "167073",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "164329",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "164318",
"trust": 0.7
},
{
"db": "CS-HELP",
"id": "SB2022012041",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022051150",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021092301",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021101101",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021091707",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021101513",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.3",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.2",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3357",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3387",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.7",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3591",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3229",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3248",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3489",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.5",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3148",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "169540",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-397448",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2021-36160",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "169132",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "164305",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03205"
},
{
"db": "VULHUB",
"id": "VHN-397448"
},
{
"db": "VULMON",
"id": "CVE-2021-36160"
},
{
"db": "PACKETSTORM",
"id": "168565"
},
{
"db": "PACKETSTORM",
"id": "169132"
},
{
"db": "PACKETSTORM",
"id": "169540"
},
{
"db": "PACKETSTORM",
"id": "169541"
},
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1113"
},
{
"db": "NVD",
"id": "CVE-2021-36160"
}
]
},
"id": "VAR-202109-1804",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03205"
},
{
"db": "VULHUB",
"id": "VHN-397448"
}
],
"trust": 1.325
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03205"
}
]
},
"last_update_date": "2024-11-29T22:35:51.033000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Patch for Apache HTTP Server Denial of Service Vulnerability (CNVD-2022-03205)",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/313441"
},
{
"title": "Apache HTTP Server Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=163990"
},
{
"title": "Red Hat: Moderate: httpd:2.4 security and bug fix update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221915 - Security Advisory"
},
{
"title": "Red Hat: CVE-2021-36160",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2021-36160"
},
{
"title": "Debian Security Advisories: DSA-4982-1 apache2 -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=93a29f7ecf9a6aaba79d3b3320aa4b85"
},
{
"title": "Red Hat: Moderate: httpd24-httpd security and bug fix update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226753 - Security Advisory"
},
{
"title": "Arch Linux Issues: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2021-36160 log"
},
{
"title": "Amazon Linux AMI: ALAS-2021-1543",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2021-1543"
},
{
"title": "Cisco: Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts\u0026qid=cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"title": "Amazon Linux 2: ALAS2-2021-1716",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2-2021-1716"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/PierreChrd/py-projet-tut "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03205"
},
{
"db": "VULMON",
"id": "CVE-2021-36160"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1113"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-125",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397448"
},
{
"db": "NVD",
"id": "CVE-2021-36160"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "https://security.gentoo.org/glsa/202208-20"
},
{
"trust": 1.8,
"url": "https://security.netapp.com/advisory/ntap-20211008-0004/"
},
{
"trust": 1.8,
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"trust": 1.8,
"url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00016.html"
},
{
"trust": 1.8,
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00016.html"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-36160"
},
{
"trust": 1.2,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-apache-httpd-2.4.49-vwl69swq"
},
{
"trust": 1.2,
"url": "http://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"trust": 1.2,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-apache-"
},
{
"trust": 1.0,
"url": "https://access.redhat.com/security/cve/cve-2021-36160"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3cbugs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r73260f6ba9fb52e43d860905fc90462ba5a814afda2d011f32bbd41c%40%3cbugs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r7f2746e916ed370239bc1a1025e5ebbf345f79df9ea0ea39e44acfbb%40%3cbugs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r94a61a1517133a19dcf40016e87454ea86e355d06a0cec4c778530f3%40%3cbugs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/ra1c05a392587bfe34383dffe1213edc425de8d4afc25b7cefab3e781%40%3cbugs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/ra87a69d0703d09dc52b86e32b08f8d7327af10acdd5f577a4e82596a%40%3cbugs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rb2341c8786d0f9924f5b666e82d8d170b4804f50a523d750551bef1a%40%3cbugs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/re4162adc051c1a0a79e7a24093f3776373e8733abaff57253fef341d%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/ree7519d71415ecdd170ff1889cab552d71758d2ba2904a17ded21a70%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/spbr6wuybjnachke65spl7tjohx7rhwd/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/zncysr3bxt36fff4xtcpl3hdqk4vp45r/"
},
{
"trust": 0.8,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/spbr6wuybjnachke65spl7tjohx7rhwd/"
},
{
"trust": 0.8,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/zncysr3bxt36fff4xtcpl3hdqk4vp45r/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-39275"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33193"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-34798"
},
{
"trust": 0.6,
"url": "httpd.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r73260f6ba9fb52e43d860905fc90462ba5a814afda2d011f32bbd41c@%3cbugs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r7f2746e916ed370239bc1a1025e5ebbf345f79df9ea0ea39e44acfbb@%3cbugs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r94a61a1517133a19dcf40016e87454ea86e355d06a0cec4c778530f3@%3cbugs."
},
{
"trust": 0.6,
"url": "httpd.apache.org/security/vulnerabilities_24.html"
},
{
"trust": 0.6,
"url": "http://"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37@%3cbugs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3cusers."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/ra1c05a392587bfe34383dffe1213edc425de8d4afc25b7cefab3e781@%3cbugs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/ree7519d71415ecdd170ff1889cab552d71758d2ba2904a17ded21a70@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/ra87a69d0703d09dc52b86e32b08f8d7327af10acdd5f577a4e82596a@%3cbugs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3cusers."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rb2341c8786d0f9924f5b666e82d8d170b4804f50a523d750551bef1a@%3cbugs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3cusers."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/re4162adc051c1a0a79e7a24093f3776373e8733abaff57253fef341d@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3cusers."
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3229"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021101513"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/169541/red-hat-security-advisory-2022-7143-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3357"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3591"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/168072/gentoo-linux-security-advisory-202208-20.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.7"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164318/ubuntu-security-notice-usn-5090-3.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/168565/red-hat-security-advisory-2022-6753-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.3"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.2"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.5"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021092301"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3387"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164329/ubuntu-security-notice-usn-5090-4.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3248"
},
{
"trust": 0.6,
"url": "httpd-2.4.49-vwl69swq"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022051150"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3148"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3489"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022012041"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021091707"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021101101"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/apache-http-server-four-vulnerabilities-36444"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/167073/red-hat-security-advisory-2022-1915-01.html"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-40438"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-44224"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2021-39275"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.3,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.3,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2021-44224"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2021-33193"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-41524"
},
{
"trust": 0.3,
"url": "https://ubuntu.com/security/notices/usn-5090-1"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/r73260f6ba9fb52e43d860905fc90462ba5a814afda2d011f32bbd41c@%3cbugs.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/ra1c05a392587bfe34383dffe1213edc425de8d4afc25b7cefab3e781@%3cbugs.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/r7f2746e916ed370239bc1a1025e5ebbf345f79df9ea0ea39e44acfbb@%3cbugs.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37@%3cbugs.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/r94a61a1517133a19dcf40016e87454ea86e355d06a0cec4c778530f3@%3cbugs.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/ra87a69d0703d09dc52b86e32b08f8d7327af10acdd5f577a4e82596a@%3cbugs.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/rb2341c8786d0f9924f5b666e82d8d170b4804f50a523d750551bef1a@%3cbugs.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/ree7519d71415ecdd170ff1889cab552d71758d2ba2904a17ded21a70@%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/re4162adc051c1a0a79e7a24093f3776373e8733abaff57253fef341d@%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22721"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-28614"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-29404"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-28615"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-30522"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22719"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-30556"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23943"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-26377"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-45960"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-25313"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22823"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-22822"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-22824"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22824"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-22826"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-22827"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22822"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-45960"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-41524"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22827"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22826"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-23990"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-46143"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-25315"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-25314"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-22823"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22825"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-25236"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-25235"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23852"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-23852"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-22825"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-46143"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:1915"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/6975397"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-30556"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22719"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-28614"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:6753"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-34798"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-28615"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-31813"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-30522"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22721"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-29404"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-23943"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-26377"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/apache2"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:7144"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:7143"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-31813"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-44790"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-41773"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-42013"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22720"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.17"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.5"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.46-4ubuntu1.2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/bugs/xxxxxx"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-5090-4"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-5090-3"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.6"
},
{
"trust": 0.1,
"url": "https://launchpad.net/bugs/1945311"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.18"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.46-4ubuntu1.3"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397448"
},
{
"db": "VULMON",
"id": "CVE-2021-36160"
},
{
"db": "PACKETSTORM",
"id": "168565"
},
{
"db": "PACKETSTORM",
"id": "169132"
},
{
"db": "PACKETSTORM",
"id": "169540"
},
{
"db": "PACKETSTORM",
"id": "169541"
},
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1113"
},
{
"db": "NVD",
"id": "CVE-2021-36160"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-03205"
},
{
"db": "VULHUB",
"id": "VHN-397448"
},
{
"db": "VULMON",
"id": "CVE-2021-36160"
},
{
"db": "PACKETSTORM",
"id": "168565"
},
{
"db": "PACKETSTORM",
"id": "169132"
},
{
"db": "PACKETSTORM",
"id": "169540"
},
{
"db": "PACKETSTORM",
"id": "169541"
},
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1113"
},
{
"db": "NVD",
"id": "CVE-2021-36160"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-03205"
},
{
"date": "2021-09-16T00:00:00",
"db": "VULHUB",
"id": "VHN-397448"
},
{
"date": "2021-09-16T00:00:00",
"db": "VULMON",
"id": "CVE-2021-36160"
},
{
"date": "2022-09-30T14:51:18",
"db": "PACKETSTORM",
"id": "168565"
},
{
"date": "2021-10-28T19:12:00",
"db": "PACKETSTORM",
"id": "169132"
},
{
"date": "2022-10-27T13:05:19",
"db": "PACKETSTORM",
"id": "169540"
},
{
"date": "2022-10-27T13:05:26",
"db": "PACKETSTORM",
"id": "169541"
},
{
"date": "2022-08-15T16:02:48",
"db": "PACKETSTORM",
"id": "168072"
},
{
"date": "2021-09-28T15:06:35",
"db": "PACKETSTORM",
"id": "164305"
},
{
"date": "2021-09-29T14:50:01",
"db": "PACKETSTORM",
"id": "164329"
},
{
"date": "2021-09-28T15:23:06",
"db": "PACKETSTORM",
"id": "164318"
},
{
"date": "2021-09-16T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202109-1113"
},
{
"date": "2021-09-16T15:15:07.330000",
"db": "NVD",
"id": "CVE-2021-36160"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-03205"
},
{
"date": "2022-10-18T00:00:00",
"db": "VULHUB",
"id": "VHN-397448"
},
{
"date": "2022-08-15T00:00:00",
"db": "VULMON",
"id": "CVE-2021-36160"
},
{
"date": "2022-10-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202109-1113"
},
{
"date": "2023-11-07T03:36:43.407000",
"db": "NVD",
"id": "CVE-2021-36160"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1113"
}
],
"trust": 1.0
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache HTTP Server Denial of Service Vulnerability (CNVD-2022-03205)",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03205"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202109-1113"
}
],
"trust": 0.6
}
}
var-201711-0007
Vulnerability from variot
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. OpenSSL is prone to denial-of-service vulnerability. Successful exploitation of the issue will cause excessive memory or CPU resource consumption, resulting in a denial-of-service condition. It supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, security hashing algorithm, etc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: openssl security update Advisory ID: RHSA-2017:0286-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0286.html Issue date: 2017-02-20 CVE Names: CVE-2016-8610 CVE-2017-3731 =====================================================================
- Summary:
An update for openssl is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
- Description:
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
Security Fix(es):
-
An integer underflow leading to an out of bounds read flaw was found in OpenSSL. (CVE-2016-8610)
-
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
- Bugs fixed (https://bugzilla.redhat.com/):
1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS 1416852 - CVE-2017-3731 openssl: Truncated packet could crash via OOB read
- Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source: openssl-1.0.1e-48.el6_8.4.src.rpm
i386: openssl-1.0.1e-48.el6_8.4.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm
x86_64: openssl-1.0.1e-48.el6_8.4.i686.rpm openssl-1.0.1e-48.el6_8.4.x86_64.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386: openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-devel-1.0.1e-48.el6_8.4.i686.rpm openssl-perl-1.0.1e-48.el6_8.4.i686.rpm openssl-static-1.0.1e-48.el6_8.4.i686.rpm
x86_64: openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm openssl-devel-1.0.1e-48.el6_8.4.i686.rpm openssl-devel-1.0.1e-48.el6_8.4.x86_64.rpm openssl-perl-1.0.1e-48.el6_8.4.x86_64.rpm openssl-static-1.0.1e-48.el6_8.4.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source: openssl-1.0.1e-48.el6_8.4.src.rpm
x86_64: openssl-1.0.1e-48.el6_8.4.i686.rpm openssl-1.0.1e-48.el6_8.4.x86_64.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64: openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm openssl-devel-1.0.1e-48.el6_8.4.i686.rpm openssl-devel-1.0.1e-48.el6_8.4.x86_64.rpm openssl-perl-1.0.1e-48.el6_8.4.x86_64.rpm openssl-static-1.0.1e-48.el6_8.4.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source: openssl-1.0.1e-48.el6_8.4.src.rpm
i386: openssl-1.0.1e-48.el6_8.4.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-devel-1.0.1e-48.el6_8.4.i686.rpm
ppc64: openssl-1.0.1e-48.el6_8.4.ppc.rpm openssl-1.0.1e-48.el6_8.4.ppc64.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.ppc.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.ppc64.rpm openssl-devel-1.0.1e-48.el6_8.4.ppc.rpm openssl-devel-1.0.1e-48.el6_8.4.ppc64.rpm
s390x: openssl-1.0.1e-48.el6_8.4.s390.rpm openssl-1.0.1e-48.el6_8.4.s390x.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.s390.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.s390x.rpm openssl-devel-1.0.1e-48.el6_8.4.s390.rpm openssl-devel-1.0.1e-48.el6_8.4.s390x.rpm
x86_64: openssl-1.0.1e-48.el6_8.4.i686.rpm openssl-1.0.1e-48.el6_8.4.x86_64.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm openssl-devel-1.0.1e-48.el6_8.4.i686.rpm openssl-devel-1.0.1e-48.el6_8.4.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386: openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-perl-1.0.1e-48.el6_8.4.i686.rpm openssl-static-1.0.1e-48.el6_8.4.i686.rpm
ppc64: openssl-debuginfo-1.0.1e-48.el6_8.4.ppc64.rpm openssl-perl-1.0.1e-48.el6_8.4.ppc64.rpm openssl-static-1.0.1e-48.el6_8.4.ppc64.rpm
s390x: openssl-debuginfo-1.0.1e-48.el6_8.4.s390x.rpm openssl-perl-1.0.1e-48.el6_8.4.s390x.rpm openssl-static-1.0.1e-48.el6_8.4.s390x.rpm
x86_64: openssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm openssl-perl-1.0.1e-48.el6_8.4.x86_64.rpm openssl-static-1.0.1e-48.el6_8.4.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source: openssl-1.0.1e-48.el6_8.4.src.rpm
i386: openssl-1.0.1e-48.el6_8.4.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-devel-1.0.1e-48.el6_8.4.i686.rpm
x86_64: openssl-1.0.1e-48.el6_8.4.i686.rpm openssl-1.0.1e-48.el6_8.4.x86_64.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm openssl-devel-1.0.1e-48.el6_8.4.i686.rpm openssl-devel-1.0.1e-48.el6_8.4.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386: openssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm openssl-perl-1.0.1e-48.el6_8.4.i686.rpm openssl-static-1.0.1e-48.el6_8.4.i686.rpm
x86_64: openssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm openssl-perl-1.0.1e-48.el6_8.4.x86_64.rpm openssl-static-1.0.1e-48.el6_8.4.x86_64.rpm
Red Hat Enterprise Linux Client (v. 7):
Source: openssl-1.0.1e-60.el7_3.1.src.rpm
x86_64: openssl-1.0.1e-60.el7_3.1.x86_64.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm openssl-libs-1.0.1e-60.el7_3.1.i686.rpm openssl-libs-1.0.1e-60.el7_3.1.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64: openssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm openssl-devel-1.0.1e-60.el7_3.1.i686.rpm openssl-devel-1.0.1e-60.el7_3.1.x86_64.rpm openssl-perl-1.0.1e-60.el7_3.1.x86_64.rpm openssl-static-1.0.1e-60.el7_3.1.i686.rpm openssl-static-1.0.1e-60.el7_3.1.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: openssl-1.0.1e-60.el7_3.1.src.rpm
x86_64: openssl-1.0.1e-60.el7_3.1.x86_64.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm openssl-libs-1.0.1e-60.el7_3.1.i686.rpm openssl-libs-1.0.1e-60.el7_3.1.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64: openssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm openssl-devel-1.0.1e-60.el7_3.1.i686.rpm openssl-devel-1.0.1e-60.el7_3.1.x86_64.rpm openssl-perl-1.0.1e-60.el7_3.1.x86_64.rpm openssl-static-1.0.1e-60.el7_3.1.i686.rpm openssl-static-1.0.1e-60.el7_3.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: openssl-1.0.1e-60.el7_3.1.src.rpm
aarch64: openssl-1.0.1e-60.el7_3.1.aarch64.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.aarch64.rpm openssl-devel-1.0.1e-60.el7_3.1.aarch64.rpm openssl-libs-1.0.1e-60.el7_3.1.aarch64.rpm
ppc64: openssl-1.0.1e-60.el7_3.1.ppc64.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.ppc.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.ppc64.rpm openssl-devel-1.0.1e-60.el7_3.1.ppc.rpm openssl-devel-1.0.1e-60.el7_3.1.ppc64.rpm openssl-libs-1.0.1e-60.el7_3.1.ppc.rpm openssl-libs-1.0.1e-60.el7_3.1.ppc64.rpm
ppc64le: openssl-1.0.1e-60.el7_3.1.ppc64le.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.ppc64le.rpm openssl-devel-1.0.1e-60.el7_3.1.ppc64le.rpm openssl-libs-1.0.1e-60.el7_3.1.ppc64le.rpm
s390x: openssl-1.0.1e-60.el7_3.1.s390x.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.s390.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.s390x.rpm openssl-devel-1.0.1e-60.el7_3.1.s390.rpm openssl-devel-1.0.1e-60.el7_3.1.s390x.rpm openssl-libs-1.0.1e-60.el7_3.1.s390.rpm openssl-libs-1.0.1e-60.el7_3.1.s390x.rpm
x86_64: openssl-1.0.1e-60.el7_3.1.x86_64.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm openssl-devel-1.0.1e-60.el7_3.1.i686.rpm openssl-devel-1.0.1e-60.el7_3.1.x86_64.rpm openssl-libs-1.0.1e-60.el7_3.1.i686.rpm openssl-libs-1.0.1e-60.el7_3.1.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
aarch64: openssl-debuginfo-1.0.1e-60.el7_3.1.aarch64.rpm openssl-perl-1.0.1e-60.el7_3.1.aarch64.rpm openssl-static-1.0.1e-60.el7_3.1.aarch64.rpm
ppc64: openssl-debuginfo-1.0.1e-60.el7_3.1.ppc.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.ppc64.rpm openssl-perl-1.0.1e-60.el7_3.1.ppc64.rpm openssl-static-1.0.1e-60.el7_3.1.ppc.rpm openssl-static-1.0.1e-60.el7_3.1.ppc64.rpm
ppc64le: openssl-debuginfo-1.0.1e-60.el7_3.1.ppc64le.rpm openssl-perl-1.0.1e-60.el7_3.1.ppc64le.rpm openssl-static-1.0.1e-60.el7_3.1.ppc64le.rpm
s390x: openssl-debuginfo-1.0.1e-60.el7_3.1.s390.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.s390x.rpm openssl-perl-1.0.1e-60.el7_3.1.s390x.rpm openssl-static-1.0.1e-60.el7_3.1.s390.rpm openssl-static-1.0.1e-60.el7_3.1.s390x.rpm
x86_64: openssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm openssl-perl-1.0.1e-60.el7_3.1.x86_64.rpm openssl-static-1.0.1e-60.el7_3.1.i686.rpm openssl-static-1.0.1e-60.el7_3.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: openssl-1.0.1e-60.el7_3.1.src.rpm
x86_64: openssl-1.0.1e-60.el7_3.1.x86_64.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm openssl-devel-1.0.1e-60.el7_3.1.i686.rpm openssl-devel-1.0.1e-60.el7_3.1.x86_64.rpm openssl-libs-1.0.1e-60.el7_3.1.i686.rpm openssl-libs-1.0.1e-60.el7_3.1.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64: openssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm openssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm openssl-perl-1.0.1e-60.el7_3.1.x86_64.rpm openssl-static-1.0.1e-60.el7_3.1.i686.rpm openssl-static-1.0.1e-60.el7_3.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2016-8610 https://access.redhat.com/security/cve/CVE-2017-3731 https://access.redhat.com/security/updates/classification/#moderate https://www.openssl.org/news/secadv/20170126.txt
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iD8DBQFYqs1TXlSAg2UNWIIRAt7bAJ0ZCDFTFcNP3/qrBxA46aRJQAvxkACaA9Ak 1zK4rWazcUYTZw5zQhD4SXA= =I+Z7 -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.
Security Fix(es):
-
A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)
-
It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. (CVE-2016-0736)
-
It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. (CVE-2016-2161)
-
A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys. (CVE-2016-8610)
-
It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)
-
A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. (CVE-2016-8740)
Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304. After installing the updated packages, the httpd daemon will be restarted automatically. Bugs fixed (https://bugzilla.redhat.com/):
1377600 - CVE-2016-6304 openssl: OCSP Status Request extension unbounded memory growth 1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS 1401528 - CVE-2016-8740 httpd: Incomplete handling of LimitRequestFields directive in mod_http2 1406744 - CVE-2016-0736 httpd: Padding Oracle in Apache mod_session_crypto 1406753 - CVE-2016-2161 httpd: DoS vulnerability in mod_auth_digest 1406822 - CVE-2016-8743 httpd: Apache HTTP Request Parsing Whitespace Defects 1412120 - CVE-2016-7056 openssl: ECDSA P-256 timing attack key recovery
- JIRA issues fixed (https://issues.jboss.org/):
JBCS-319 - Errata for httpd 2.4.23 SP1 RHEL 7
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure. (CVE-2017-5647)
- A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. Solution:
Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).
The References section of this erratum contains a download link (you must log in to download the update).
CVE-2016-8610
It was discovered that no limit was imposed on alert packets during
an SSL handshake.
CVE-2017-3731
Robert Swiecki discovered that the RC4-MD5 cipher when running on
32 bit systems could be forced into an out-of-bounds read, resulting
in denial of service.
For the stable distribution (jessie), these problems have been fixed in version 1.0.1t-1+deb8u6.
For the unstable distribution (sid), these problems have been fixed in version 1.1.0d-1 of the openssl source package and in version 1.0.2k-1 of the openssl1.0 source package.
We recommend that you upgrade your openssl packages. 6) - i386, x86_64
The following packages have been upgraded to a later upstream version: gnutls (2.12.23). (CVE-2016-8610)
- Multiple flaws were found in the way gnutls processed OpenPGP certificates. An attacker could create specially crafted OpenPGP certificates which, when parsed by gnutls, would cause it to crash. Bugs fixed (https://bugzilla.redhat.com/):
1320982 - ASSERT failure in gnutls-cli-debug 1321112 - DHE_DSS ciphers don't work with client certificates and OpenSSL using TLSv1.2 1323215 - gnutls-serv --http crashes with client certificates with NSS client 1326073 - GnuTLS prefers SHA-1 signatures in TLSv1.2 1326389 - GnuTLS server does not accept SHA-384 and SHA-512 Certificate Verify signatures despite advertising support for them 1326886 - GnuTLS server rejects connections that do not advertise support for SHA-1 signature algorithms 1327656 - gnutls-serv: closing connection without sending an Alert message 1328205 - gnutls-cli won't send certificates that don't match hashes in Certificate Request 1333521 - Provide ability to set the expected server name in gnutls-serv utility 1335924 - gnutls: Disable TLS connections with less than 1024-bit DH parameters 1337460 - Disable/remove export ciphersuites in GnuTLS 1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS 1411836 - CVE-2017-5337 gnutls: Heap read overflow in read-packet.c 1412235 - CVE-2017-5335 gnutls: Out of memory while parsing crafted OpenPGP certificate 1412236 - CVE-2017-5336 gnutls: Stack overflow in cdk_pk_get_keyid 1415682 - Changes introduced by rebase to 2.12.23 break API and ABI compatibility for some libraries
Software Description: - gnutls28: GNU TLS library - gnutls26: GNU TLS library
Details:
Stefan Buehler discovered that GnuTLS incorrectly verified the serial length of OCSP responses. (CVE-2016-8610)
It was discovered that GnuTLS incorrectly decoded X.509 certificates with a Proxy Certificate Information extension. =========================================================================== Ubuntu Security Notice USN-3181-1 January 31, 2017
openssl vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in OpenSSL. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS as other releases were fixed in a previous security update. (CVE-2016-2177)
It was discovered that OpenSSL did not properly handle Montgomery multiplication, resulting in incorrect results leading to transient failures. This issue only applied to Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7055)
It was discovered that OpenSSL did not properly use constant-time operations when performing ECDSA P-256 signing. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-7056)
Shi Lei discovered that OpenSSL incorrectly handled certain warning alerts. (CVE-2016-8610)
Robert =C5=9Awi=C4=99cki discovered that OpenSSL incorrectly handled certain truncated packets. (CVE-2017-3731)
It was discovered that OpenSSL incorrectly performed the x86_64 Montgomery squaring procedure. This issue only applied to Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2017-3732)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.10: libssl1.0.0 1.0.2g-1ubuntu9.1
Ubuntu 16.04 LTS: libssl1.0.0 1.0.2g-1ubuntu4.6
Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.22
Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.39
After a standard system update you need to reboot your computer to make all the necessary changes
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201711-0007",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "openssl",
"scope": "eq",
"trust": 1.6,
"vendor": "openssl",
"version": "1.0.1"
},
{
"model": "openssl",
"scope": "eq",
"trust": 1.6,
"vendor": "openssl",
"version": "0.9.8"
},
{
"model": "m10-4",
"scope": "lt",
"trust": 1.0,
"vendor": "fujitsu",
"version": "xcp2361"
},
{
"model": "core rdbms",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "18c"
},
{
"model": "enterprise linux server",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"model": "m12-1",
"scope": "lt",
"trust": 1.0,
"vendor": "fujitsu",
"version": "xcp2361"
},
{
"model": "pan-os",
"scope": "gte",
"trust": 1.0,
"vendor": "paloaltonetworks",
"version": "7.0.0"
},
{
"model": "service processor",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "e-series santricity os controller",
"scope": "gte",
"trust": 1.0,
"vendor": "netapp",
"version": "11.0"
},
{
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.0"
},
{
"model": "m12-1",
"scope": "lt",
"trust": 1.0,
"vendor": "fujitsu",
"version": "xcp3070"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "8.0"
},
{
"model": "peoplesoft enterprise peopletools",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.58"
},
{
"model": "oncommand balance",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "oncommand workflow automation",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "m12-2s",
"scope": "lt",
"trust": 1.0,
"vendor": "fujitsu",
"version": "xcp3070"
},
{
"model": "jboss enterprise application platform",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.0.0"
},
{
"model": "jboss enterprise application platform",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.4.0"
},
{
"model": "host agent",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "enterprise linux server eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.3"
},
{
"model": "clustered data ontap antivirus connector",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "enterprise linux workstation",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"model": "storagegrid webscale",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "oncommand unified manager",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "pan-os",
"scope": "gte",
"trust": 1.0,
"vendor": "paloaltonetworks",
"version": "7.1.0"
},
{
"model": "communications ip service activator",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "7.4.0"
},
{
"model": "m10-4s",
"scope": "lt",
"trust": 1.0,
"vendor": "fujitsu",
"version": "xcp3070"
},
{
"model": "pan-os",
"scope": "lte",
"trust": 1.0,
"vendor": "paloaltonetworks",
"version": "6.1.17"
},
{
"model": "weblogic server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.3.0"
},
{
"model": "weblogic server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.4.0"
},
{
"model": "enterprise linux server tus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.3"
},
{
"model": "m10-4",
"scope": "gte",
"trust": 1.0,
"vendor": "fujitsu",
"version": "xcp3000"
},
{
"model": "timesten in-memory database",
"scope": "lt",
"trust": 1.0,
"vendor": "oracle",
"version": "18.1.4.1.0"
},
{
"model": "enterprise linux server eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.6"
},
{
"model": "enterprise linux server eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.4"
},
{
"model": "snapcenter server",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "weblogic server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "10.3.6.0.0"
},
{
"model": "retail predictive application server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "16.0.3"
},
{
"model": "enterprise linux server eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.5"
},
{
"model": "enterprise linux server",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.0"
},
{
"model": "m12-2",
"scope": "lt",
"trust": 1.0,
"vendor": "fujitsu",
"version": "xcp2361"
},
{
"model": "enterprise linux server tus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.6"
},
{
"model": "m10-4",
"scope": "lt",
"trust": 1.0,
"vendor": "fujitsu",
"version": "xcp3070"
},
{
"model": "clustered data ontap",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "retail predictive application server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "15.0.3"
},
{
"model": "data ontap edge",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "storagegrid",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "core rdbms",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.0.1"
},
{
"model": "peoplesoft enterprise peopletools",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.56"
},
{
"model": "peoplesoft enterprise peopletools",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.57"
},
{
"model": "core rdbms",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.2.0.4"
},
{
"model": "enterprise manager ops center",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.4.0"
},
{
"model": "m12-1",
"scope": "gte",
"trust": 1.0,
"vendor": "fujitsu",
"version": "xcp3000"
},
{
"model": "m12-2",
"scope": "lt",
"trust": 1.0,
"vendor": "fujitsu",
"version": "xcp3070"
},
{
"model": "m12-2",
"scope": "gte",
"trust": 1.0,
"vendor": "fujitsu",
"version": "xcp3000"
},
{
"model": "core rdbms",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "19c"
},
{
"model": "openssl",
"scope": "eq",
"trust": 1.0,
"vendor": "openssl",
"version": "1.1.0"
},
{
"model": "data ontap",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"model": "m12-2s",
"scope": "lt",
"trust": 1.0,
"vendor": "fujitsu",
"version": "xcp2361"
},
{
"model": "m12-2s",
"scope": "gte",
"trust": 1.0,
"vendor": "fujitsu",
"version": "xcp3000"
},
{
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.3"
},
{
"model": "core rdbms",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.1.0.2"
},
{
"model": "cn1610",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "smi-s provider",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "enterprise linux workstation",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.0"
},
{
"model": "openssl",
"scope": "gte",
"trust": 1.0,
"vendor": "openssl",
"version": "1.0.2"
},
{
"model": "m10-1",
"scope": "lt",
"trust": 1.0,
"vendor": "fujitsu",
"version": "xcp2361"
},
{
"model": "m10-4s",
"scope": "lt",
"trust": 1.0,
"vendor": "fujitsu",
"version": "xcp2361"
},
{
"model": "m10-4s",
"scope": "gte",
"trust": 1.0,
"vendor": "fujitsu",
"version": "xcp3000"
},
{
"model": "snapdrive",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "pan-os",
"scope": "lte",
"trust": 1.0,
"vendor": "paloaltonetworks",
"version": "7.0.15"
},
{
"model": "e-series santricity os controller",
"scope": "lte",
"trust": 1.0,
"vendor": "netapp",
"version": "11.40"
},
{
"model": "goldengate application adapters",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.3.2.1.0"
},
{
"model": "adaptive access manager",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.1.2.3.0"
},
{
"model": "pan-os",
"scope": "lte",
"trust": 1.0,
"vendor": "paloaltonetworks",
"version": "7.1.10"
},
{
"model": "application testing suite",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "13.3.0.1"
},
{
"model": "m10-1",
"scope": "lt",
"trust": 1.0,
"vendor": "fujitsu",
"version": "xcp3070"
},
{
"model": "m10-1",
"scope": "gte",
"trust": 1.0,
"vendor": "fujitsu",
"version": "xcp3000"
},
{
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.6"
},
{
"model": "weblogic server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.1.3.0.0"
},
{
"model": "openssl",
"scope": "lte",
"trust": 1.0,
"vendor": "openssl",
"version": "1.0.2h"
},
{
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.4"
},
{
"model": "jd edwards enterpriseone tools",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "9.2"
},
{
"model": "ontap select deploy",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "communications analytics",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.1.1"
},
{
"model": "enterprise manager ops center",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.3.3"
},
{
"model": "communications ip service activator",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "7.3.4"
},
{
"model": "openssl",
"scope": "eq",
"trust": 0.6,
"vendor": "openssl",
"version": "1.0.2b"
},
{
"model": "openssl",
"scope": "eq",
"trust": 0.6,
"vendor": "openssl",
"version": "1.0.2"
},
{
"model": "openssl",
"scope": "eq",
"trust": 0.6,
"vendor": "openssl",
"version": "1.0.2a"
},
{
"model": "openssl",
"scope": "eq",
"trust": 0.6,
"vendor": "openssl",
"version": "1.0.2c"
},
{
"model": "openssl",
"scope": "eq",
"trust": 0.6,
"vendor": "openssl",
"version": "1.0.2d"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "16.10"
},
{
"model": "linux lts",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "16.04"
},
{
"model": "linux lts",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "14.04"
},
{
"model": "linux lts i386",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "12.04"
},
{
"model": "linux lts amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "12.04"
},
{
"model": "jboss web server",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "0"
},
{
"model": "jboss core services on rhel server",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "70"
},
{
"model": "jboss core services on rhel server",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "60"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.1"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0.15"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0.14"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0.13"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0.12"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0.11"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0.10"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0.5"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0.4"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0.1"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0.9"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0.8"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0.7"
},
{
"model": "pan-os",
"scope": "eq",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "6.1"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "oracle",
"version": "7"
},
{
"model": "project openssl",
"scope": "eq",
"trust": 0.3,
"vendor": "openssl",
"version": "1.1"
},
{
"model": "project openssl",
"scope": "eq",
"trust": 0.3,
"vendor": "openssl",
"version": "1.0.2"
},
{
"model": "project openssl k",
"scope": "eq",
"trust": 0.3,
"vendor": "openssl",
"version": "0.9.8"
},
{
"model": "project openssl j",
"scope": "eq",
"trust": 0.3,
"vendor": "openssl",
"version": "0.9.8"
},
{
"model": "project openssl i",
"scope": "eq",
"trust": 0.3,
"vendor": "openssl",
"version": "0.9.8"
},
{
"model": "project openssl h",
"scope": "eq",
"trust": 0.3,
"vendor": "openssl",
"version": "0.9.8"
},
{
"model": "project openssl e",
"scope": "eq",
"trust": 0.3,
"vendor": "openssl",
"version": "0.9.8"
},
{
"model": "project openssl d",
"scope": "eq",
"trust": 0.3,
"vendor": "openssl",
"version": "0.9.8"
},
{
"model": "project openssl c",
"scope": "eq",
"trust": 0.3,
"vendor": "openssl",
"version": "0.9.8"
},
{
"model": "project openssl b",
"scope": "eq",
"trust": 0.3,
"vendor": "openssl",
"version": "0.9.8"
},
{
"model": "project openssl a",
"scope": "eq",
"trust": 0.3,
"vendor": "openssl",
"version": "0.9.8"
},
{
"model": "project openssl",
"scope": "eq",
"trust": 0.3,
"vendor": "openssl",
"version": "0.9.8"
},
{
"model": "project openssl 1.0.2h",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.2g",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.2f",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.2e",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.2d",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.2c",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.2b",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.2a",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1u",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1t",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1s",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1r",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1q",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1p",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1o",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1n",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1m",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1l",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1k",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1j",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1i",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1h",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1g",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1f",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1e",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1d",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1c",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1b",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.1a",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl",
"scope": "eq",
"trust": 0.3,
"vendor": "openssl",
"version": "1.0.1"
},
{
"model": "project openssl 0.9.8zh",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8zg",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8zf",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8ze",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8zd",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8zc",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8zb",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8za",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8y",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl",
"scope": "eq",
"trust": 0.3,
"vendor": "openssl",
"version": "0.9.8x"
},
{
"model": "project openssl 0.9.8w",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8u",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8t",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8s",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8r",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8q",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8p",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8o",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8n",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8m",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8l",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8g",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 0.9.8f",
"scope": null,
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl f",
"scope": "eq",
"trust": 0.3,
"vendor": "openssl",
"version": "0.9.8"
},
{
"model": "project openssl",
"scope": "eq",
"trust": 0.3,
"vendor": "openssl",
"version": "0.9.8v"
},
{
"model": "vios",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "2.2"
},
{
"model": "sterling connect:direct for unix",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.1"
},
{
"model": "netezza host management",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.4.4"
},
{
"model": "netezza host management",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.4.3"
},
{
"model": "netezza host management",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.4.8.0"
},
{
"model": "netezza host management",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.4.6.0"
},
{
"model": "netezza host management",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.3.9.0"
},
{
"model": "netezza host management",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.3.8.0"
},
{
"model": "netezza host management",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.3.7.0"
},
{
"model": "netezza host management",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.3.6.0"
},
{
"model": "netezza host management",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.3.3"
},
{
"model": "netezza host management",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.3.2.0"
},
{
"model": "netezza host management",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.3.10.0"
},
{
"model": "netezza host management",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "4.2.0.0"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.5.2.1"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.5.2.0"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.5.1.3"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.5.1.2"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.5.1.1"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.5.1.0"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.5.0.4"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.5.0.3"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.5.0.2"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.5.0.1"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.5.0.0"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.0.9"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.0.8"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.0.6"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.0.5"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.0.4"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.0.3"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.0.2"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.0.10"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.0.1"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.0.0"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1.0.9"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1.0.8"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1.0.7"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1.0.6"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1.0.5"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1.0.13"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1.0.12"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1.0.11"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1.0.10"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1.0.0"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.9"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.8"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.16"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.15"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.14"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.13"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.12"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.11"
},
{
"model": "datapower gateways",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.10"
},
{
"model": "aix",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2"
},
{
"model": "aix",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1"
},
{
"model": "aix",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.1"
},
{
"model": "aix",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.3"
},
{
"model": "linux sparc",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux s/390",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux powerpc",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux mips",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux ia-64",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux ia-32",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux arm",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "centos",
"scope": "eq",
"trust": 0.3,
"vendor": "centos",
"version": "6"
},
{
"model": "pan-os",
"scope": "ne",
"trust": 0.3,
"vendor": "paloaltonetworks",
"version": "7.0.16"
},
{
"model": "project openssl 1.1.0b",
"scope": "ne",
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "project openssl 1.0.2j",
"scope": "ne",
"trust": 0.3,
"vendor": "openssl",
"version": null
},
{
"model": "sterling connect:direct for unix 4.1.0.4.ifix085",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": null
},
{
"model": "netezza host management",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "5.4.9.0"
},
{
"model": "datapower gateways",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "7.5.2.2"
},
{
"model": "datapower gateways",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "7.5.1.4"
},
{
"model": "datapower gateways",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "7.5.0.5"
},
{
"model": "datapower gateways",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2.0.11"
},
{
"model": "datapower gateways",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1.0.14"
},
{
"model": "datapower gateways",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.17"
}
],
"sources": [
{
"db": "BID",
"id": "93841"
},
{
"db": "CNNVD",
"id": "CNNVD-201610-726"
},
{
"db": "NVD",
"id": "CVE-2016-8610"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Shi Lei from Gear Team, Qihoo 360 Inc.",
"sources": [
{
"db": "BID",
"id": "93841"
},
{
"db": "CNNVD",
"id": "CNNVD-201610-726"
}
],
"trust": 0.9
},
"cve": "CVE-2016-8610",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2016-8610",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "VHN-97430",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2016-8610",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2016-8610",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201610-726",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-97430",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2016-8610",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-97430"
},
{
"db": "VULMON",
"id": "CVE-2016-8610"
},
{
"db": "CNNVD",
"id": "CNNVD-201610-726"
},
{
"db": "NVD",
"id": "CVE-2016-8610"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. OpenSSL is prone to denial-of-service vulnerability. \nSuccessful exploitation of the issue will cause excessive memory or CPU resource consumption, resulting in a denial-of-service condition. It supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, security hashing algorithm, etc. \n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: openssl security update\nAdvisory ID: RHSA-2017:0286-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://rhn.redhat.com/errata/RHSA-2017-0286.html\nIssue date: 2017-02-20\nCVE Names: CVE-2016-8610 CVE-2017-3731 \n=====================================================================\n\n1. Summary:\n\nAn update for openssl is now available for Red Hat Enterprise Linux 6 and\nRed Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - x86_64\nRed Hat Enterprise Linux Client Optional (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64\nRed Hat Enterprise Linux Desktop (v. 6) - i386, x86_64\nRed Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64\nRed Hat Enterprise Linux HPC Node (v. 6) - x86_64\nRed Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64\nRed Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 6) - i386, x86_64\nRed Hat Enterprise Linux Workstation (v. 7) - x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 7) - x86_64\n\n3. Description:\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and\nTransport Layer Security (TLS) protocols, as well as a full-strength\ngeneral-purpose cryptography library. \n\nSecurity Fix(es):\n\n* An integer underflow leading to an out of bounds read flaw was found in\nOpenSSL. \n(CVE-2016-8610)\n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library\nmust be restarted, or the system rebooted. \n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS\n1416852 - CVE-2017-3731 openssl: Truncated packet could crash via OOB read\n\n6. Package List:\n\nRed Hat Enterprise Linux Desktop (v. 6):\n\nSource:\nopenssl-1.0.1e-48.el6_8.4.src.rpm\n\ni386:\nopenssl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\n\nx86_64:\nopenssl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm\n\nRed Hat Enterprise Linux Desktop Optional (v. 6):\n\ni386:\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-perl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-static-1.0.1e-48.el6_8.4.i686.rpm\n\nx86_64:\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-perl-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-static-1.0.1e-48.el6_8.4.x86_64.rpm\n\nRed Hat Enterprise Linux HPC Node (v. 6):\n\nSource:\nopenssl-1.0.1e-48.el6_8.4.src.rpm\n\nx86_64:\nopenssl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm\n\nRed Hat Enterprise Linux HPC Node Optional (v. 6):\n\nx86_64:\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-perl-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-static-1.0.1e-48.el6_8.4.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 6):\n\nSource:\nopenssl-1.0.1e-48.el6_8.4.src.rpm\n\ni386:\nopenssl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.i686.rpm\n\nppc64:\nopenssl-1.0.1e-48.el6_8.4.ppc.rpm\nopenssl-1.0.1e-48.el6_8.4.ppc64.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.ppc.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.ppc64.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.ppc.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.ppc64.rpm\n\ns390x:\nopenssl-1.0.1e-48.el6_8.4.s390.rpm\nopenssl-1.0.1e-48.el6_8.4.s390x.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.s390.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.s390x.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.s390.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.s390x.rpm\n\nx86_64:\nopenssl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 6):\n\ni386:\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-perl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-static-1.0.1e-48.el6_8.4.i686.rpm\n\nppc64:\nopenssl-debuginfo-1.0.1e-48.el6_8.4.ppc64.rpm\nopenssl-perl-1.0.1e-48.el6_8.4.ppc64.rpm\nopenssl-static-1.0.1e-48.el6_8.4.ppc64.rpm\n\ns390x:\nopenssl-debuginfo-1.0.1e-48.el6_8.4.s390x.rpm\nopenssl-perl-1.0.1e-48.el6_8.4.s390x.rpm\nopenssl-static-1.0.1e-48.el6_8.4.s390x.rpm\n\nx86_64:\nopenssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-perl-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-static-1.0.1e-48.el6_8.4.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 6):\n\nSource:\nopenssl-1.0.1e-48.el6_8.4.src.rpm\n\ni386:\nopenssl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.i686.rpm\n\nx86_64:\nopenssl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-devel-1.0.1e-48.el6_8.4.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 6):\n\ni386:\nopenssl-debuginfo-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-perl-1.0.1e-48.el6_8.4.i686.rpm\nopenssl-static-1.0.1e-48.el6_8.4.i686.rpm\n\nx86_64:\nopenssl-debuginfo-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-perl-1.0.1e-48.el6_8.4.x86_64.rpm\nopenssl-static-1.0.1e-48.el6_8.4.x86_64.rpm\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\nopenssl-1.0.1e-60.el7_3.1.src.rpm\n\nx86_64:\nopenssl-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.x86_64.rpm\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nx86_64:\nopenssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-perl-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-static-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-static-1.0.1e-60.el7_3.1.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\nopenssl-1.0.1e-60.el7_3.1.src.rpm\n\nx86_64:\nopenssl-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nx86_64:\nopenssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-perl-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-static-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-static-1.0.1e-60.el7_3.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nopenssl-1.0.1e-60.el7_3.1.src.rpm\n\naarch64:\nopenssl-1.0.1e-60.el7_3.1.aarch64.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.aarch64.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.aarch64.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.aarch64.rpm\n\nppc64:\nopenssl-1.0.1e-60.el7_3.1.ppc64.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.ppc.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.ppc64.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.ppc.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.ppc64.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.ppc.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.ppc64.rpm\n\nppc64le:\nopenssl-1.0.1e-60.el7_3.1.ppc64le.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.ppc64le.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.ppc64le.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.ppc64le.rpm\n\ns390x:\nopenssl-1.0.1e-60.el7_3.1.s390x.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.s390.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.s390x.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.s390.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.s390x.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.s390.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.s390x.rpm\n\nx86_64:\nopenssl-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\naarch64:\nopenssl-debuginfo-1.0.1e-60.el7_3.1.aarch64.rpm\nopenssl-perl-1.0.1e-60.el7_3.1.aarch64.rpm\nopenssl-static-1.0.1e-60.el7_3.1.aarch64.rpm\n\nppc64:\nopenssl-debuginfo-1.0.1e-60.el7_3.1.ppc.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.ppc64.rpm\nopenssl-perl-1.0.1e-60.el7_3.1.ppc64.rpm\nopenssl-static-1.0.1e-60.el7_3.1.ppc.rpm\nopenssl-static-1.0.1e-60.el7_3.1.ppc64.rpm\n\nppc64le:\nopenssl-debuginfo-1.0.1e-60.el7_3.1.ppc64le.rpm\nopenssl-perl-1.0.1e-60.el7_3.1.ppc64le.rpm\nopenssl-static-1.0.1e-60.el7_3.1.ppc64le.rpm\n\ns390x:\nopenssl-debuginfo-1.0.1e-60.el7_3.1.s390.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.s390x.rpm\nopenssl-perl-1.0.1e-60.el7_3.1.s390x.rpm\nopenssl-static-1.0.1e-60.el7_3.1.s390.rpm\nopenssl-static-1.0.1e-60.el7_3.1.s390x.rpm\n\nx86_64:\nopenssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-perl-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-static-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-static-1.0.1e-60.el7_3.1.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nopenssl-1.0.1e-60.el7_3.1.src.rpm\n\nx86_64:\nopenssl-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-devel-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-libs-1.0.1e-60.el7_3.1.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nx86_64:\nopenssl-debuginfo-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-debuginfo-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-perl-1.0.1e-60.el7_3.1.x86_64.rpm\nopenssl-static-1.0.1e-60.el7_3.1.i686.rpm\nopenssl-static-1.0.1e-60.el7_3.1.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2016-8610\nhttps://access.redhat.com/security/cve/CVE-2017-3731\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://www.openssl.org/news/secadv/20170126.txt\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2017 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niD8DBQFYqs1TXlSAg2UNWIIRAt7bAJ0ZCDFTFcNP3/qrBxA46aRJQAvxkACaA9Ak\n1zK4rWazcUYTZw5zQhD4SXA=\n=I+Z7\n-----END PGP SIGNATURE-----\n\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. This software, such as Apache HTTP Server, is\ncommon to multiple JBoss middleware products, and is packaged under Red Hat\nJBoss Core Services to allow for faster distribution of updates, and for a\nmore consistent update experience. \n\nSecurity Fix(es):\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status\nrequest extension data during session renegotiation. A remote attacker\ncould cause a TLS server using OpenSSL to consume an excessive amount of\nmemory and, possibly, exit unexpectedly after exhausting all available\nmemory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\n* It was discovered that the mod_session_crypto module of httpd did not use\nany mechanisms to verify integrity of the encrypted session data stored in\nthe user\u0027s browser. (CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not\nproperly check for memory allocation failures. (CVE-2016-2161)\n\n* A timing attack flaw was found in OpenSSL that could allow a malicious\nuser with local access to recover ECDSA P-256 private keys. \n(CVE-2016-8610)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed\ncertain characters not permitted by the HTTP protocol specification to\nappear unencoded in HTTP request headers. If httpd was used in conjunction\nwith a proxy or backend server that interpreted those characters\ndifferently, a remote attacker could possibly use this flaw to inject data\ninto HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\n* A vulnerability was found in httpd\u0027s handling of the LimitRequestFields\ndirective in mod_http2, affecting servers with HTTP/2 enabled. (CVE-2016-8740)\n\nRed Hat would like to thank the OpenSSL project for reporting CVE-2016-6304\nand Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. \nUpstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original\nreporter of CVE-2016-6304. After installing the updated\npackages, the httpd daemon will be restarted automatically. Bugs fixed (https://bugzilla.redhat.com/):\n\n1377600 - CVE-2016-6304 openssl: OCSP Status Request extension unbounded memory growth\n1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS\n1401528 - CVE-2016-8740 httpd: Incomplete handling of LimitRequestFields directive in mod_http2\n1406744 - CVE-2016-0736 httpd: Padding Oracle in Apache mod_session_crypto\n1406753 - CVE-2016-2161 httpd: DoS vulnerability in mod_auth_digest\n1406822 - CVE-2016-8743 httpd: Apache HTTP Request Parsing Whitespace Defects\n1412120 - CVE-2016-7056 openssl: ECDSA P-256 timing attack key recovery\n\n6. JIRA issues fixed (https://issues.jboss.org/):\n\nJBCS-319 - Errata for httpd 2.4.23 SP1 RHEL 7\n\n7. \n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies. If sendfile processing completed quickly, it was\npossible for the Processor to be added to the processor cache twice. This\ncould lead to invalid responses or information disclosure. (CVE-2017-5647)\n\n* A vulnerability was discovered in the error page mechanism in Tomcat\u0027s\nDefaultServlet implementation. A crafted HTTP request could cause undesired\nside effects, possibly including the removal or replacement of the custom\nerror page. Solution:\n\nBefore applying the update, back up your existing Red Hat JBoss Web Server\ninstallation (including all applications and configuration files). \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). \n\nCVE-2016-8610\n\n It was discovered that no limit was imposed on alert packets during\n an SSL handshake. \n\nCVE-2017-3731\n\n Robert Swiecki discovered that the RC4-MD5 cipher when running on\n 32 bit systems could be forced into an out-of-bounds read, resulting\n in denial of service. \n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1.0.1t-1+deb8u6. \n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.1.0d-1 of the openssl source package and in version 1.0.2k-1\nof the openssl1.0 source package. \n\nWe recommend that you upgrade your openssl packages. 6) - i386, x86_64\n\n3. \n\nThe following packages have been upgraded to a later upstream version:\ngnutls (2.12.23). \n(CVE-2016-8610)\n\n* Multiple flaws were found in the way gnutls processed OpenPGP\ncertificates. An attacker could create specially crafted OpenPGP\ncertificates which, when parsed by gnutls, would cause it to crash. Bugs fixed (https://bugzilla.redhat.com/):\n\n1320982 - ASSERT failure in gnutls-cli-debug\n1321112 - DHE_DSS ciphers don\u0027t work with client certificates and OpenSSL using TLSv1.2\n1323215 - gnutls-serv --http crashes with client certificates with NSS client\n1326073 - GnuTLS prefers SHA-1 signatures in TLSv1.2\n1326389 - GnuTLS server does not accept SHA-384 and SHA-512 Certificate Verify signatures despite advertising support for them\n1326886 - GnuTLS server rejects connections that do not advertise support for SHA-1 signature algorithms\n1327656 - gnutls-serv: closing connection without sending an Alert message\n1328205 - gnutls-cli won\u0027t send certificates that don\u0027t match hashes in Certificate Request\n1333521 - Provide ability to set the expected server name in gnutls-serv utility\n1335924 - gnutls: Disable TLS connections with less than 1024-bit DH parameters\n1337460 - Disable/remove export ciphersuites in GnuTLS\n1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS\n1411836 - CVE-2017-5337 gnutls: Heap read overflow in read-packet.c\n1412235 - CVE-2017-5335 gnutls: Out of memory while parsing crafted OpenPGP certificate\n1412236 - CVE-2017-5336 gnutls: Stack overflow in cdk_pk_get_keyid\n1415682 - Changes introduced by rebase to 2.12.23 break API and ABI compatibility for some libraries\n\n6. \n\nSoftware Description:\n- gnutls28: GNU TLS library\n- gnutls26: GNU TLS library\n\nDetails:\n\nStefan Buehler discovered that GnuTLS incorrectly verified the serial\nlength of OCSP responses. (CVE-2016-8610)\n\nIt was discovered that GnuTLS incorrectly decoded X.509 certificates with a\nProxy Certificate Information extension. \n===========================================================================\nUbuntu Security Notice USN-3181-1\nJanuary 31, 2017\n\nopenssl vulnerabilities\n===========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 16.10\n- Ubuntu 16.04 LTS\n- Ubuntu 14.04 LTS\n- Ubuntu 12.04 LTS\n\nSummary:\n\nSeveral security issues were fixed in OpenSSL. This\nissue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS as other\nreleases were fixed in a previous security update. (CVE-2016-2177)\n\nIt was discovered that OpenSSL did not properly handle Montgomery\nmultiplication, resulting in incorrect results leading to transient\nfailures. This issue only applied to Ubuntu 16.04 LTS, and Ubuntu 16.10. \n(CVE-2016-7055)\n\nIt was discovered that OpenSSL did not properly use constant-time\noperations when performing ECDSA P-256 signing. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04\nLTS. (CVE-2016-7056)\n\nShi Lei discovered that OpenSSL incorrectly handled certain warning alerts. (CVE-2016-8610)\n\nRobert =C5=9Awi=C4=99cki discovered that OpenSSL incorrectly handled certain\ntruncated packets. (CVE-2017-3731)\n\nIt was discovered that OpenSSL incorrectly performed the x86_64 Montgomery\nsquaring procedure. This issue only applied to Ubuntu 16.04\nLTS, and Ubuntu 16.10. (CVE-2017-3732)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 16.10:\n libssl1.0.0 1.0.2g-1ubuntu9.1\n\nUbuntu 16.04 LTS:\n libssl1.0.0 1.0.2g-1ubuntu4.6\n\nUbuntu 14.04 LTS:\n libssl1.0.0 1.0.1f-1ubuntu2.22\n\nUbuntu 12.04 LTS:\n libssl1.0.0 1.0.1-4ubuntu5.39\n\nAfter a standard system update you need to reboot your computer to make\nall the necessary changes",
"sources": [
{
"db": "NVD",
"id": "CVE-2016-8610"
},
{
"db": "BID",
"id": "93841"
},
{
"db": "VULHUB",
"id": "VHN-97430"
},
{
"db": "VULMON",
"id": "CVE-2016-8610"
},
{
"db": "PACKETSTORM",
"id": "141173"
},
{
"db": "PACKETSTORM",
"id": "142848"
},
{
"db": "PACKETSTORM",
"id": "142847"
},
{
"db": "PACKETSTORM",
"id": "143873"
},
{
"db": "PACKETSTORM",
"id": "140781"
},
{
"db": "PACKETSTORM",
"id": "141752"
},
{
"db": "PACKETSTORM",
"id": "140890"
},
{
"db": "PACKETSTORM",
"id": "140850"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2016-8610",
"trust": 2.9
},
{
"db": "BID",
"id": "93841",
"trust": 2.1
},
{
"db": "SECTRACK",
"id": "1037084",
"trust": 1.8
},
{
"db": "CNNVD",
"id": "CNNVD-201610-726",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2019.2173",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "141173",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "141752",
"trust": 0.2
},
{
"db": "SEEBUG",
"id": "SSVID-92490",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-97430",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2016-8610",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "142848",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "142847",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "143873",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "140781",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "140890",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "140850",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-97430"
},
{
"db": "VULMON",
"id": "CVE-2016-8610"
},
{
"db": "BID",
"id": "93841"
},
{
"db": "PACKETSTORM",
"id": "141173"
},
{
"db": "PACKETSTORM",
"id": "142848"
},
{
"db": "PACKETSTORM",
"id": "142847"
},
{
"db": "PACKETSTORM",
"id": "143873"
},
{
"db": "PACKETSTORM",
"id": "140781"
},
{
"db": "PACKETSTORM",
"id": "141752"
},
{
"db": "PACKETSTORM",
"id": "140890"
},
{
"db": "PACKETSTORM",
"id": "140850"
},
{
"db": "CNNVD",
"id": "CNNVD-201610-726"
},
{
"db": "NVD",
"id": "CVE-2016-8610"
}
]
},
"id": "VAR-201711-0007",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-97430"
}
],
"trust": 0.40555555
},
"last_update_date": "2024-11-29T21:15:04.795000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "OpenSSL Remediation measures for denial of service vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=65089"
},
{
"title": "Red Hat: Moderate: openssl security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20170286 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.16 natives update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20171659 - Security Advisory"
},
{
"title": "Red Hat: Moderate: gnutls security, bug fix, and enhancement update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20170574 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 6.4.16 natives update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20171658 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 for RHEL 6",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20171414 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20171415 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 for RHEL 7",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20171413 - Security Advisory"
},
{
"title": "Debian Security Advisories: DSA-3773-1 openssl -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=9f660812dd6a423f7e72aa57751d0031"
},
{
"title": "Red Hat: CVE-2016-8610",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2016-8610"
},
{
"title": "Amazon Linux AMI: ALAS-2017-803",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2017-803"
},
{
"title": "Ubuntu Security Notice: gnutls26 vulnerability",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-3183-2"
},
{
"title": "Ubuntu Security Notice: gnutls26, gnutls28 vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-3183-1"
},
{
"title": "Ubuntu Security Notice: openssl vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-3181-1"
},
{
"title": "Red Hat: Important: Red Hat JBoss Web Server 3.1.0 Service Pack 1 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20171801 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Web Server Service Pack 1 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20171802 - Security Advisory"
},
{
"title": "Amazon Linux AMI: ALAS-2017-815",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2017-815"
},
{
"title": "Oracle Linux Bulletins: Oracle Linux Bulletin - January 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins\u0026qid=ecbe5f193404d1e9c62e8323118ae6cf"
},
{
"title": "Oracle VM Server for x86 Bulletins: Oracle VM Server for x86 Bulletin - January 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_vm_server_for_x86_bulletins\u0026qid=04299a624c15ae57f9f110f484bc5f66"
},
{
"title": "Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - October 2016",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins\u0026qid=6839c4d3fd328571c675c335d58b5591"
},
{
"title": "Oracle Linux Bulletins: Oracle Linux Bulletin - April 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins\u0026qid=d78b3379ca364568964f30138964c7e7"
},
{
"title": "Oracle VM Server for x86 Bulletins: Oracle VM Server for x86 Bulletin - April 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_vm_server_for_x86_bulletins\u0026qid=bf8deceb640f4a0fee008855afe6aa85"
},
{
"title": "CVE-2016-8610-PoC",
"trust": 0.1,
"url": "https://github.com/cujanovic/CVE-2016-8610-PoC "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2016-8610"
},
{
"db": "CNNVD",
"id": "CNNVD-201610-726"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-400",
"trust": 1.1
},
{
"problemtype": "CWE-399",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-97430"
},
{
"db": "NVD",
"id": "CVE-2016-8610"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://www.securityfocus.com/bid/93841"
},
{
"trust": 2.1,
"url": "http://seclists.org/oss-sec/2016/q4/224"
},
{
"trust": 1.9,
"url": "http://rhn.redhat.com/errata/rhsa-2017-0286.html"
},
{
"trust": 1.9,
"url": "http://rhn.redhat.com/errata/rhsa-2017-0574.html"
},
{
"trust": 1.9,
"url": "https://access.redhat.com/errata/rhsa-2017:1413"
},
{
"trust": 1.9,
"url": "http://rhn.redhat.com/errata/rhsa-2017-1415.html"
},
{
"trust": 1.9,
"url": "https://access.redhat.com/errata/rhsa-2017:2494"
},
{
"trust": 1.8,
"url": "http://www.securitytracker.com/id/1037084"
},
{
"trust": 1.8,
"url": "https://www.debian.org/security/2017/dsa-3773"
},
{
"trust": 1.8,
"url": "https://security.freebsd.org/advisories/freebsd-sa-16:35.openssl.asc"
},
{
"trust": 1.8,
"url": "https://access.redhat.com/errata/rhsa-2017:1414"
},
{
"trust": 1.8,
"url": "https://access.redhat.com/errata/rhsa-2017:1658"
},
{
"trust": 1.8,
"url": "http://rhn.redhat.com/errata/rhsa-2017-1659.html"
},
{
"trust": 1.8,
"url": "https://access.redhat.com/errata/rhsa-2017:1801"
},
{
"trust": 1.8,
"url": "https://access.redhat.com/errata/rhsa-2017:1802"
},
{
"trust": 1.8,
"url": "https://access.redhat.com/errata/rhsa-2017:2493"
},
{
"trust": 1.8,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=cve-2016-8610"
},
{
"trust": 1.8,
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3ba=commit%3bh=af58be768ebb690f78530f796e92b8ae5c9a4401"
},
{
"trust": 1.8,
"url": "https://security.360.cn/cve/cve-2016-8610/"
},
{
"trust": 1.8,
"url": "https://security.netapp.com/advisory/ntap-20171130-0001/"
},
{
"trust": 1.8,
"url": "https://security.paloaltonetworks.com/cve-2016-8610"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"trust": 1.7,
"url": "https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us\u0026docid=emr_na-hpesbhf03897en_us"
},
{
"trust": 0.9,
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=af58be768ebb690f78530f796e92b8ae5c9a4401"
},
{
"trust": 0.9,
"url": "https://securityadvisories.paloaltonetworks.com/home/detail/87"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-8610"
},
{
"trust": 0.6,
"url": "https://www.suse.com/support/update/announcement/2019/suse-su-20191553-1.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.2173/"
},
{
"trust": 0.5,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2016-8610"
},
{
"trust": 0.5,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-7056"
},
{
"trust": 0.3,
"url": "http://openssl.org/"
},
{
"trust": 0.3,
"url": "http://aix.software.ibm.com/aix/efixes/security/openssl_advisory22.asc"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21994867"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21996760"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21997209"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-3731"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2016-6304"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-6304"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2016-8740"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2016-0736"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-8743"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/documentation/en/red-hat-jboss-core-services/"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2016-8743"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-2161"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-8740"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2016-7056"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-0736"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2016-2161"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-5337"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-5336"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-5335"
},
{
"trust": 0.1,
"url": "https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us\u0026amp;docid=emr_na-hpesbhf03897en_us"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/400.html"
},
{
"trust": 0.1,
"url": "https://github.com/cujanovic/cve-2016-8610-poc"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "http://tools.cisco.com/security/center/viewalert.x?alertid=49575"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/3183-2/"
},
{
"trust": 0.1,
"url": "https://www.openssl.org/news/secadv/20170126.txt"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2017-3731"
},
{
"trust": 0.1,
"url": "https://issues.jboss.org/):"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=core.service.apachehttp\u0026downloadtype=securitypatches\u0026version=2.4.23"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=webserver\u0026downloadtype=securitypatches\u0026version=2.1.2"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2017-5664"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2017-5647"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-5647"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/3155411"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-5664"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2017-5337"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2017-5336"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.9_release_notes/index.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.9_technical_notes/index.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2017-5335"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-5334"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/gnutls28/3.4.10-4ubuntu1.2"
},
{
"trust": 0.1,
"url": "http://www.ubuntu.com/usn/usn-3183-1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/gnutls26/2.12.23-12ubuntu2.6"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-7444"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/gnutls28/3.5.3-5ubuntu1.1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu3.13"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.6"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu9.1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssl/1.0.1f-1ubuntu2.22"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-2177"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.39"
},
{
"trust": 0.1,
"url": "http://www.ubuntu.com/usn/usn-3181-1"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-7055"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-3732"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-97430"
},
{
"db": "VULMON",
"id": "CVE-2016-8610"
},
{
"db": "BID",
"id": "93841"
},
{
"db": "PACKETSTORM",
"id": "141173"
},
{
"db": "PACKETSTORM",
"id": "142848"
},
{
"db": "PACKETSTORM",
"id": "142847"
},
{
"db": "PACKETSTORM",
"id": "143873"
},
{
"db": "PACKETSTORM",
"id": "140781"
},
{
"db": "PACKETSTORM",
"id": "141752"
},
{
"db": "PACKETSTORM",
"id": "140890"
},
{
"db": "PACKETSTORM",
"id": "140850"
},
{
"db": "CNNVD",
"id": "CNNVD-201610-726"
},
{
"db": "NVD",
"id": "CVE-2016-8610"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-97430"
},
{
"db": "VULMON",
"id": "CVE-2016-8610"
},
{
"db": "BID",
"id": "93841"
},
{
"db": "PACKETSTORM",
"id": "141173"
},
{
"db": "PACKETSTORM",
"id": "142848"
},
{
"db": "PACKETSTORM",
"id": "142847"
},
{
"db": "PACKETSTORM",
"id": "143873"
},
{
"db": "PACKETSTORM",
"id": "140781"
},
{
"db": "PACKETSTORM",
"id": "141752"
},
{
"db": "PACKETSTORM",
"id": "140890"
},
{
"db": "PACKETSTORM",
"id": "140850"
},
{
"db": "CNNVD",
"id": "CNNVD-201610-726"
},
{
"db": "NVD",
"id": "CVE-2016-8610"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-11-13T00:00:00",
"db": "VULHUB",
"id": "VHN-97430"
},
{
"date": "2017-11-13T00:00:00",
"db": "VULMON",
"id": "CVE-2016-8610"
},
{
"date": "2016-10-24T00:00:00",
"db": "BID",
"id": "93841"
},
{
"date": "2017-02-20T22:47:10",
"db": "PACKETSTORM",
"id": "141173"
},
{
"date": "2017-06-07T22:47:57",
"db": "PACKETSTORM",
"id": "142848"
},
{
"date": "2017-06-07T22:47:43",
"db": "PACKETSTORM",
"id": "142847"
},
{
"date": "2017-08-22T05:28:16",
"db": "PACKETSTORM",
"id": "143873"
},
{
"date": "2017-01-30T16:58:54",
"db": "PACKETSTORM",
"id": "140781"
},
{
"date": "2017-03-21T14:50:40",
"db": "PACKETSTORM",
"id": "141752"
},
{
"date": "2017-02-02T02:05:34",
"db": "PACKETSTORM",
"id": "140890"
},
{
"date": "2017-02-01T00:36:45",
"db": "PACKETSTORM",
"id": "140850"
},
{
"date": "2016-10-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201610-726"
},
{
"date": "2017-11-13T22:29:00.203000",
"db": "NVD",
"id": "CVE-2016-8610"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-02-12T00:00:00",
"db": "VULHUB",
"id": "VHN-97430"
},
{
"date": "2023-02-12T00:00:00",
"db": "VULMON",
"id": "CVE-2016-8610"
},
{
"date": "2017-08-22T08:11:00",
"db": "BID",
"id": "93841"
},
{
"date": "2023-02-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201610-726"
},
{
"date": "2024-11-21T02:59:39.983000",
"db": "NVD",
"id": "CVE-2016-8610"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "141173"
},
{
"db": "PACKETSTORM",
"id": "141752"
},
{
"db": "PACKETSTORM",
"id": "140890"
},
{
"db": "PACKETSTORM",
"id": "140850"
},
{
"db": "CNNVD",
"id": "CNNVD-201610-726"
}
],
"trust": 1.0
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenSSL Resource Management Error Vulnerability",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201610-726"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "resource management error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201610-726"
}
],
"trust": 0.6
}
}
var-202109-1802
Vulnerability from variot
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. This vulnerability allows remote attackers to initiate arbitrary server-side requests on affected installations of Hewlett Packard Enterprise OneView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the REST service, which listens on TCP port 443 by default. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. The server is fast, reliable and extensible through a simple API. The vulnerability stems from the mod_proxy module failing to properly validate user input. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Important: httpd security update Advisory ID: RHSA-2021:3856-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:3856 Issue date: 2021-10-14 CVE Names: CVE-2021-40438 =====================================================================
- Summary:
An update for httpd is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 7.2 Advanced Update Support, Red Hat Enterprise Linux 7.3 Advanced Update Support, Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.6 Advanced Update Support, Red Hat Enterprise Linux 7.6 Telco Extended Update Support, Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions, Red Hat Enterprise Linux 7.7 Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server AUS (v. 7.2) - noarch, x86_64 Red Hat Enterprise Linux Server AUS (v. 7.3) - noarch, x86_64 Red Hat Enterprise Linux Server AUS (v. 7.4) - noarch, x86_64 Red Hat Enterprise Linux Server AUS (v. 7.6) - noarch, x86_64 Red Hat Enterprise Linux Server AUS (v. 7.7) - noarch, x86_64 Red Hat Enterprise Linux Server E4S (v. 7.6) - noarch, ppc64le, x86_64 Red Hat Enterprise Linux Server E4S (v. 7.7) - noarch, ppc64le, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 7.2) - x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 7.3) - x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 7.4) - x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 7.6) - x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 7.7) - x86_64 Red Hat Enterprise Linux Server Optional E4S (v. 7.6) - ppc64le, x86_64 Red Hat Enterprise Linux Server Optional TUS (v. 7.6) - x86_64 Red Hat Enterprise Linux Server Optional TUS (v. 7.7) - x86_64 Red Hat Enterprise Linux Server TUS (v. 7.6) - noarch, x86_64 Red Hat Enterprise Linux Server TUS (v. 7.7) - noarch, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
Security Fix(es):
- httpd: mod_proxy: SSRF via a crafted request uri-path containing "unix:" (CVE-2021-40438)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon will be restarted automatically.
- Bugs fixed (https://bugzilla.redhat.com/):
2005117 - CVE-2021-40438 httpd: mod_proxy: SSRF via a crafted request uri-path containing "unix:"
- Package List:
Red Hat Enterprise Linux Client Optional (v. 7):
Source: httpd-2.4.6-97.el7_9.1.src.rpm
noarch: httpd-manual-2.4.6-97.el7_9.1.noarch.rpm
x86_64: httpd-2.4.6-97.el7_9.1.x86_64.rpm httpd-debuginfo-2.4.6-97.el7_9.1.x86_64.rpm httpd-devel-2.4.6-97.el7_9.1.x86_64.rpm httpd-tools-2.4.6-97.el7_9.1.x86_64.rpm mod_ldap-2.4.6-97.el7_9.1.x86_64.rpm mod_proxy_html-2.4.6-97.el7_9.1.x86_64.rpm mod_session-2.4.6-97.el7_9.1.x86_64.rpm mod_ssl-2.4.6-97.el7_9.1.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
Source: httpd-2.4.6-97.el7_9.1.src.rpm
noarch: httpd-manual-2.4.6-97.el7_9.1.noarch.rpm
x86_64: httpd-2.4.6-97.el7_9.1.x86_64.rpm httpd-debuginfo-2.4.6-97.el7_9.1.x86_64.rpm httpd-devel-2.4.6-97.el7_9.1.x86_64.rpm httpd-tools-2.4.6-97.el7_9.1.x86_64.rpm mod_ldap-2.4.6-97.el7_9.1.x86_64.rpm mod_proxy_html-2.4.6-97.el7_9.1.x86_64.rpm mod_session-2.4.6-97.el7_9.1.x86_64.rpm mod_ssl-2.4.6-97.el7_9.1.x86_64.rpm
Red Hat Enterprise Linux Server AUS (v. 7.2):
Source: httpd-2.4.6-40.el7_2.7.src.rpm
noarch: httpd-manual-2.4.6-40.el7_2.7.noarch.rpm
x86_64: httpd-2.4.6-40.el7_2.7.x86_64.rpm httpd-debuginfo-2.4.6-40.el7_2.7.x86_64.rpm httpd-devel-2.4.6-40.el7_2.7.x86_64.rpm httpd-tools-2.4.6-40.el7_2.7.x86_64.rpm mod_ssl-2.4.6-40.el7_2.7.x86_64.rpm
Red Hat Enterprise Linux Server AUS (v. 7.3):
Source: httpd-2.4.6-45.el7_3.6.src.rpm
noarch: httpd-manual-2.4.6-45.el7_3.6.noarch.rpm
x86_64: httpd-2.4.6-45.el7_3.6.x86_64.rpm httpd-debuginfo-2.4.6-45.el7_3.6.x86_64.rpm httpd-devel-2.4.6-45.el7_3.6.x86_64.rpm httpd-tools-2.4.6-45.el7_3.6.x86_64.rpm mod_ssl-2.4.6-45.el7_3.6.x86_64.rpm
Red Hat Enterprise Linux Server AUS (v. 7.4):
Source: httpd-2.4.6-67.el7_4.7.src.rpm
noarch: httpd-manual-2.4.6-67.el7_4.7.noarch.rpm
x86_64: httpd-2.4.6-67.el7_4.7.x86_64.rpm httpd-debuginfo-2.4.6-67.el7_4.7.x86_64.rpm httpd-devel-2.4.6-67.el7_4.7.x86_64.rpm httpd-tools-2.4.6-67.el7_4.7.x86_64.rpm mod_session-2.4.6-67.el7_4.7.x86_64.rpm mod_ssl-2.4.6-67.el7_4.7.x86_64.rpm
Red Hat Enterprise Linux Server AUS (v. 7.6):
Source: httpd-2.4.6-89.el7_6.2.src.rpm
noarch: httpd-manual-2.4.6-89.el7_6.2.noarch.rpm
x86_64: httpd-2.4.6-89.el7_6.2.x86_64.rpm httpd-debuginfo-2.4.6-89.el7_6.2.x86_64.rpm httpd-devel-2.4.6-89.el7_6.2.x86_64.rpm httpd-tools-2.4.6-89.el7_6.2.x86_64.rpm mod_session-2.4.6-89.el7_6.2.x86_64.rpm mod_ssl-2.4.6-89.el7_6.2.x86_64.rpm
Red Hat Enterprise Linux Server E4S (v. 7.6):
Source: httpd-2.4.6-89.el7_6.2.src.rpm
noarch: httpd-manual-2.4.6-89.el7_6.2.noarch.rpm
ppc64le: httpd-2.4.6-89.el7_6.2.ppc64le.rpm httpd-debuginfo-2.4.6-89.el7_6.2.ppc64le.rpm httpd-devel-2.4.6-89.el7_6.2.ppc64le.rpm httpd-tools-2.4.6-89.el7_6.2.ppc64le.rpm mod_session-2.4.6-89.el7_6.2.ppc64le.rpm mod_ssl-2.4.6-89.el7_6.2.ppc64le.rpm
x86_64: httpd-2.4.6-89.el7_6.2.x86_64.rpm httpd-debuginfo-2.4.6-89.el7_6.2.x86_64.rpm httpd-devel-2.4.6-89.el7_6.2.x86_64.rpm httpd-tools-2.4.6-89.el7_6.2.x86_64.rpm mod_session-2.4.6-89.el7_6.2.x86_64.rpm mod_ssl-2.4.6-89.el7_6.2.x86_64.rpm
Red Hat Enterprise Linux Server TUS (v. 7.6):
Source: httpd-2.4.6-89.el7_6.2.src.rpm
noarch: httpd-manual-2.4.6-89.el7_6.2.noarch.rpm
x86_64: httpd-2.4.6-89.el7_6.2.x86_64.rpm httpd-debuginfo-2.4.6-89.el7_6.2.x86_64.rpm httpd-devel-2.4.6-89.el7_6.2.x86_64.rpm httpd-tools-2.4.6-89.el7_6.2.x86_64.rpm mod_session-2.4.6-89.el7_6.2.x86_64.rpm mod_ssl-2.4.6-89.el7_6.2.x86_64.rpm
Red Hat Enterprise Linux Server AUS (v. 7.7):
Source: httpd-2.4.6-90.el7_7.1.src.rpm
noarch: httpd-manual-2.4.6-90.el7_7.1.noarch.rpm
x86_64: httpd-2.4.6-90.el7_7.1.x86_64.rpm httpd-debuginfo-2.4.6-90.el7_7.1.x86_64.rpm httpd-devel-2.4.6-90.el7_7.1.x86_64.rpm httpd-tools-2.4.6-90.el7_7.1.x86_64.rpm mod_session-2.4.6-90.el7_7.1.x86_64.rpm mod_ssl-2.4.6-90.el7_7.1.x86_64.rpm
Red Hat Enterprise Linux Server E4S (v. 7.7):
Source: httpd-2.4.6-90.el7_7.1.src.rpm
noarch: httpd-manual-2.4.6-90.el7_7.1.noarch.rpm
ppc64le: httpd-2.4.6-90.el7_7.1.ppc64le.rpm httpd-debuginfo-2.4.6-90.el7_7.1.ppc64le.rpm httpd-devel-2.4.6-90.el7_7.1.ppc64le.rpm httpd-tools-2.4.6-90.el7_7.1.ppc64le.rpm mod_session-2.4.6-90.el7_7.1.ppc64le.rpm mod_ssl-2.4.6-90.el7_7.1.ppc64le.rpm
x86_64: httpd-2.4.6-90.el7_7.1.x86_64.rpm httpd-debuginfo-2.4.6-90.el7_7.1.x86_64.rpm httpd-devel-2.4.6-90.el7_7.1.x86_64.rpm httpd-tools-2.4.6-90.el7_7.1.x86_64.rpm mod_session-2.4.6-90.el7_7.1.x86_64.rpm mod_ssl-2.4.6-90.el7_7.1.x86_64.rpm
Red Hat Enterprise Linux Server TUS (v. 7.7):
Source: httpd-2.4.6-90.el7_7.1.src.rpm
noarch: httpd-manual-2.4.6-90.el7_7.1.noarch.rpm
x86_64: httpd-2.4.6-90.el7_7.1.x86_64.rpm httpd-debuginfo-2.4.6-90.el7_7.1.x86_64.rpm httpd-devel-2.4.6-90.el7_7.1.x86_64.rpm httpd-tools-2.4.6-90.el7_7.1.x86_64.rpm mod_session-2.4.6-90.el7_7.1.x86_64.rpm mod_ssl-2.4.6-90.el7_7.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: httpd-2.4.6-97.el7_9.1.src.rpm
noarch: httpd-manual-2.4.6-97.el7_9.1.noarch.rpm
ppc64: httpd-2.4.6-97.el7_9.1.ppc64.rpm httpd-debuginfo-2.4.6-97.el7_9.1.ppc64.rpm httpd-devel-2.4.6-97.el7_9.1.ppc64.rpm httpd-tools-2.4.6-97.el7_9.1.ppc64.rpm mod_session-2.4.6-97.el7_9.1.ppc64.rpm mod_ssl-2.4.6-97.el7_9.1.ppc64.rpm
ppc64le: httpd-2.4.6-97.el7_9.1.ppc64le.rpm httpd-debuginfo-2.4.6-97.el7_9.1.ppc64le.rpm httpd-devel-2.4.6-97.el7_9.1.ppc64le.rpm httpd-tools-2.4.6-97.el7_9.1.ppc64le.rpm mod_session-2.4.6-97.el7_9.1.ppc64le.rpm mod_ssl-2.4.6-97.el7_9.1.ppc64le.rpm
s390x: httpd-2.4.6-97.el7_9.1.s390x.rpm httpd-debuginfo-2.4.6-97.el7_9.1.s390x.rpm httpd-devel-2.4.6-97.el7_9.1.s390x.rpm httpd-tools-2.4.6-97.el7_9.1.s390x.rpm mod_session-2.4.6-97.el7_9.1.s390x.rpm mod_ssl-2.4.6-97.el7_9.1.s390x.rpm
x86_64: httpd-2.4.6-97.el7_9.1.x86_64.rpm httpd-debuginfo-2.4.6-97.el7_9.1.x86_64.rpm httpd-devel-2.4.6-97.el7_9.1.x86_64.rpm httpd-tools-2.4.6-97.el7_9.1.x86_64.rpm mod_session-2.4.6-97.el7_9.1.x86_64.rpm mod_ssl-2.4.6-97.el7_9.1.x86_64.rpm
Red Hat Enterprise Linux Server Optional AUS (v. 7.2):
x86_64: httpd-debuginfo-2.4.6-40.el7_2.7.x86_64.rpm mod_ldap-2.4.6-40.el7_2.7.x86_64.rpm mod_proxy_html-2.4.6-40.el7_2.7.x86_64.rpm mod_session-2.4.6-40.el7_2.7.x86_64.rpm
Red Hat Enterprise Linux Server Optional AUS (v. 7.3):
x86_64: httpd-debuginfo-2.4.6-45.el7_3.6.x86_64.rpm mod_ldap-2.4.6-45.el7_3.6.x86_64.rpm mod_proxy_html-2.4.6-45.el7_3.6.x86_64.rpm mod_session-2.4.6-45.el7_3.6.x86_64.rpm
Red Hat Enterprise Linux Server Optional AUS (v. 7.4):
x86_64: httpd-debuginfo-2.4.6-67.el7_4.7.x86_64.rpm mod_ldap-2.4.6-67.el7_4.7.x86_64.rpm mod_proxy_html-2.4.6-67.el7_4.7.x86_64.rpm
Red Hat Enterprise Linux Server Optional AUS (v. 7.6):
x86_64: httpd-debuginfo-2.4.6-89.el7_6.2.x86_64.rpm mod_ldap-2.4.6-89.el7_6.2.x86_64.rpm mod_proxy_html-2.4.6-89.el7_6.2.x86_64.rpm
Red Hat Enterprise Linux Server Optional E4S (v. 7.6):
ppc64le: httpd-debuginfo-2.4.6-89.el7_6.2.ppc64le.rpm mod_ldap-2.4.6-89.el7_6.2.ppc64le.rpm mod_proxy_html-2.4.6-89.el7_6.2.ppc64le.rpm
x86_64: httpd-debuginfo-2.4.6-89.el7_6.2.x86_64.rpm mod_ldap-2.4.6-89.el7_6.2.x86_64.rpm mod_proxy_html-2.4.6-89.el7_6.2.x86_64.rpm
Red Hat Enterprise Linux Server Optional TUS (v. 7.6):
x86_64: httpd-debuginfo-2.4.6-89.el7_6.2.x86_64.rpm mod_ldap-2.4.6-89.el7_6.2.x86_64.rpm mod_proxy_html-2.4.6-89.el7_6.2.x86_64.rpm
Red Hat Enterprise Linux Server Optional AUS (v. 7.7):
x86_64: httpd-debuginfo-2.4.6-90.el7_7.1.x86_64.rpm mod_ldap-2.4.6-90.el7_7.1.x86_64.rpm mod_proxy_html-2.4.6-90.el7_7.1.x86_64.rpm
Red Hat Enterprise Linux Server Optional E4S (v. 7.6):
ppc64le: httpd-debuginfo-2.4.6-90.el7_7.1.ppc64le.rpm mod_ldap-2.4.6-90.el7_7.1.ppc64le.rpm mod_proxy_html-2.4.6-90.el7_7.1.ppc64le.rpm
x86_64: httpd-debuginfo-2.4.6-90.el7_7.1.x86_64.rpm mod_ldap-2.4.6-90.el7_7.1.x86_64.rpm mod_proxy_html-2.4.6-90.el7_7.1.x86_64.rpm
Red Hat Enterprise Linux Server Optional TUS (v. 7.7):
x86_64: httpd-debuginfo-2.4.6-90.el7_7.1.x86_64.rpm mod_ldap-2.4.6-90.el7_7.1.x86_64.rpm mod_proxy_html-2.4.6-90.el7_7.1.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64: httpd-debuginfo-2.4.6-97.el7_9.1.ppc64.rpm mod_ldap-2.4.6-97.el7_9.1.ppc64.rpm mod_proxy_html-2.4.6-97.el7_9.1.ppc64.rpm
ppc64le: httpd-debuginfo-2.4.6-97.el7_9.1.ppc64le.rpm mod_ldap-2.4.6-97.el7_9.1.ppc64le.rpm mod_proxy_html-2.4.6-97.el7_9.1.ppc64le.rpm
s390x: httpd-debuginfo-2.4.6-97.el7_9.1.s390x.rpm mod_ldap-2.4.6-97.el7_9.1.s390x.rpm mod_proxy_html-2.4.6-97.el7_9.1.s390x.rpm
x86_64: httpd-debuginfo-2.4.6-97.el7_9.1.x86_64.rpm mod_ldap-2.4.6-97.el7_9.1.x86_64.rpm mod_proxy_html-2.4.6-97.el7_9.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: httpd-2.4.6-97.el7_9.1.src.rpm
noarch: httpd-manual-2.4.6-97.el7_9.1.noarch.rpm
x86_64: httpd-2.4.6-97.el7_9.1.x86_64.rpm httpd-debuginfo-2.4.6-97.el7_9.1.x86_64.rpm httpd-devel-2.4.6-97.el7_9.1.x86_64.rpm httpd-tools-2.4.6-97.el7_9.1.x86_64.rpm mod_session-2.4.6-97.el7_9.1.x86_64.rpm mod_ssl-2.4.6-97.el7_9.1.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64: httpd-debuginfo-2.4.6-97.el7_9.1.x86_64.rpm mod_ldap-2.4.6-97.el7_9.1.x86_64.rpm mod_proxy_html-2.4.6-97.el7_9.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2021-40438 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYWfxl9zjgjWX9erEAQiHUQ//augswljuYjRC9IwK5XgDLjrigqEshGaa v5C3gfY1a4SwE/x0FQCawiBmh+8VMv5as3c0eeU5C6QB/05BSBycgboIZG3H6HdF sNOxNzkcG6WmooNZNJ0/c/ykvkn0tRq812yzDTxr2IB3+LxH5cYaw9wQnt62l3yF gjtWedH9xntGpqrVK17NVe/o9Jg4tL0CEPDk+NrbXeSgwnAnLKsLjpwQT72+GVJx ZLC9DYkFguzQN+wckKPRfxGtce0GtuXHkpEShCnH32RPrNyImFMn/Nc8IyOmTadT jCd07H2MNH6+Txxt6dh2aI+SI5JwdeGRNP7IXs86H+KPNZhphS/BqFt3qHGTsw4l 3f6jGfywbWfNdLw+s0qHaWvJ2ZgTw7O1QPncfozKn8cU3Rw9OunN+r2yVTcU3KW9 0ZGHpej56UhthE1qqS5vQjUPQ6SQgC1QHGDNgYkZk0mqIL3Vkv6gEqIF8TH4ezxZ LhZcY3N6HI5LC7568idurO0uLTdjPZq8+xMmDDAXA4QvIxOsOk6x4Rf1dzCtDpGo QSzxx6a6uYXF7EWIlkaR/qY5zcyk4i8aJN8yzrxu6oNulVSIsSuMnb00SIOk8cX7 lUt5V1/RhnWSRytHE5Tz68PyfNyqgJwFDg8D/p0nxZE1Q3tXmgtLwPOY0l2zkkjB 95kGnxWCYaA= =gPcK -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . 8) - aarch64, noarch, ppc64le, s390x, x86_64
- Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. Refer to the Release Notes for information on the security fix included in this release. Solution:
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
The References section of this erratum contains a download link for the update. You must be logged in to download the update. ========================================================================== Ubuntu Security Notice USN-5090-4 September 28, 2021
apache2 regression
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
Summary:
USN-5090-1 introduced a regression in Apache HTTP Server. One of the upstream fixes introduced a regression in UDS URIs. This update fixes the problem.
Original advisory details:
James Kettle discovered that the Apache HTTP Server HTTP/2 module incorrectly handled certain crafted methods. A remote attacker could possibly use this issue to perform request splitting or cache poisoning attacks. (CVE-2021-34798)
Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly handled certain request uri-paths. This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04. If the server was configured with third-party modules, a remote attacker could use this issue to cause the server to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-39275)
It was discovered that the Apache mod_proxy module incorrectly handled certain request uri-paths. (CVE-2021-40438)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.04 ESM: apache2 2.4.18-2ubuntu3.17+esm3 apache2-bin 2.4.18-2ubuntu3.17+esm3
In general, a standard system update will make all the necessary changes
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202109-1802",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "sinema remote connect server",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "3.1"
},
{
"model": "cloud backup",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "f5os",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "1.2.0"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "34"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "35"
},
{
"model": "storagegrid",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "11.0"
},
{
"model": "instantis enterprisetrack",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.3"
},
{
"model": "secure global desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "5.6"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "ruggedcom nms",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "brocade fabric operating system",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": null
},
{
"model": "sinema remote connect server",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "3.2"
},
{
"model": "clustered data ontap",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "http server",
"scope": "lte",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.48"
},
{
"model": "enterprise manager ops center",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.4.0.0"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.4.0"
},
{
"model": "sinema server",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "14.0"
},
{
"model": "f5os",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "1.1.4"
},
{
"model": "instantis enterprisetrack",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.1"
},
{
"model": "zfs storage appliance kit",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.8"
},
{
"model": "tenable.sc",
"scope": "lte",
"trust": 1.0,
"vendor": "tenable",
"version": "5.19.1"
},
{
"model": "f5os",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "1.2.1"
},
{
"model": "instantis enterprisetrack",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.2"
},
{
"model": "f5os",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "1.1.0"
},
{
"model": "sinec nms",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "1.0.3"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.3.0"
},
{
"model": "hitachi infrastructure analytics advisor",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "fedora",
"scope": null,
"trust": 0.8,
"vendor": "fedora",
"version": null
},
{
"model": "clustered data ontap",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "hitachi ops center api configuration manager",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "http server",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "f5os",
"scope": null,
"trust": 0.8,
"vendor": "f5",
"version": null
},
{
"model": "storagegrid",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "gnu/linux",
"scope": null,
"trust": 0.8,
"vendor": "debian",
"version": null
},
{
"model": "hitachi configuration manager",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "hitachi device manager",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "hitachi ops center analyzer",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "oneview",
"scope": null,
"trust": 0.7,
"vendor": "hewlett packard",
"version": null
},
{
"model": "http server",
"scope": "lte",
"trust": 0.6,
"vendor": "apache",
"version": "\u003c=2.4.48"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-24-812"
},
{
"db": "CNVD",
"id": "CNVD-2022-03224"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-004150"
},
{
"db": "NVD",
"id": "CVE-2021-40438"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Anonymous",
"sources": [
{
"db": "ZDI",
"id": "ZDI-24-812"
}
],
"trust": 0.7
},
"cve": "CVE-2021-40438",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2021-40438",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CNVD-2022-03224",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-401786",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"id": "CVE-2021-40438",
"impactScore": 6.0,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.0,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-40438",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "ZDI",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2021-40438",
"impactScore": 4.2,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 0.7,
"userInteraction": "NONE",
"vectorString": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-40438",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2021-40438",
"trust": 0.8,
"value": "Critical"
},
{
"author": "ZDI",
"id": "CVE-2021-40438",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2022-03224",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202109-1094",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-401786",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2021-40438",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-24-812"
},
{
"db": "CNVD",
"id": "CNVD-2022-03224"
},
{
"db": "VULHUB",
"id": "VHN-401786"
},
{
"db": "VULMON",
"id": "CVE-2021-40438"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-004150"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1094"
},
{
"db": "NVD",
"id": "CVE-2021-40438"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. This vulnerability allows remote attackers to initiate arbitrary server-side requests on affected installations of Hewlett Packard Enterprise OneView. Authentication is not required to exploit this vulnerability.The specific flaw exists within the REST service, which listens on TCP port 443 by default. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. The server is fast, reliable and extensible through a simple API. The vulnerability stems from the mod_proxy module failing to properly validate user input. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Important: httpd security update\nAdvisory ID: RHSA-2021:3856-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2021:3856\nIssue date: 2021-10-14\nCVE Names: CVE-2021-40438 \n=====================================================================\n\n1. Summary:\n\nAn update for httpd is now available for Red Hat Enterprise Linux 7, Red\nHat Enterprise Linux 7.2 Advanced Update Support, Red Hat Enterprise Linux\n7.3 Advanced Update Support, Red Hat Enterprise Linux 7.4 Advanced Update\nSupport, Red Hat Enterprise Linux 7.6 Advanced Update Support, Red Hat\nEnterprise Linux 7.6 Telco Extended Update Support, Red Hat Enterprise\nLinux 7.6 Update Services for SAP Solutions, Red Hat Enterprise Linux 7.7\nAdvanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update\nSupport, and Red Hat Enterprise Linux 7.7 Update Services for SAP\nSolutions. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64\nRed Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server AUS (v. 7.2) - noarch, x86_64\nRed Hat Enterprise Linux Server AUS (v. 7.3) - noarch, x86_64\nRed Hat Enterprise Linux Server AUS (v. 7.4) - noarch, x86_64\nRed Hat Enterprise Linux Server AUS (v. 7.6) - noarch, x86_64\nRed Hat Enterprise Linux Server AUS (v. 7.7) - noarch, x86_64\nRed Hat Enterprise Linux Server E4S (v. 7.6) - noarch, ppc64le, x86_64\nRed Hat Enterprise Linux Server E4S (v. 7.7) - noarch, ppc64le, x86_64\nRed Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional AUS (v. 7.2) - x86_64\nRed Hat Enterprise Linux Server Optional AUS (v. 7.3) - x86_64\nRed Hat Enterprise Linux Server Optional AUS (v. 7.4) - x86_64\nRed Hat Enterprise Linux Server Optional AUS (v. 7.6) - x86_64\nRed Hat Enterprise Linux Server Optional AUS (v. 7.7) - x86_64\nRed Hat Enterprise Linux Server Optional E4S (v. 7.6) - ppc64le, x86_64\nRed Hat Enterprise Linux Server Optional TUS (v. 7.6) - x86_64\nRed Hat Enterprise Linux Server Optional TUS (v. 7.7) - x86_64\nRed Hat Enterprise Linux Server TUS (v. 7.6) - noarch, x86_64\nRed Hat Enterprise Linux Server TUS (v. 7.7) - noarch, x86_64\nRed Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 7) - x86_64\n\n3. \n\nSecurity Fix(es):\n\n* httpd: mod_proxy: SSRF via a crafted request uri-path containing \"unix:\"\n(CVE-2021-40438)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted\nautomatically. \n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n2005117 - CVE-2021-40438 httpd: mod_proxy: SSRF via a crafted request uri-path containing \"unix:\"\n\n6. Package List:\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nSource:\nhttpd-2.4.6-97.el7_9.1.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-97.el7_9.1.noarch.rpm\n\nx86_64:\nhttpd-2.4.6-97.el7_9.1.x86_64.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.1.x86_64.rpm\nhttpd-devel-2.4.6-97.el7_9.1.x86_64.rpm\nhttpd-tools-2.4.6-97.el7_9.1.x86_64.rpm\nmod_ldap-2.4.6-97.el7_9.1.x86_64.rpm\nmod_proxy_html-2.4.6-97.el7_9.1.x86_64.rpm\nmod_session-2.4.6-97.el7_9.1.x86_64.rpm\nmod_ssl-2.4.6-97.el7_9.1.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nSource:\nhttpd-2.4.6-97.el7_9.1.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-97.el7_9.1.noarch.rpm\n\nx86_64:\nhttpd-2.4.6-97.el7_9.1.x86_64.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.1.x86_64.rpm\nhttpd-devel-2.4.6-97.el7_9.1.x86_64.rpm\nhttpd-tools-2.4.6-97.el7_9.1.x86_64.rpm\nmod_ldap-2.4.6-97.el7_9.1.x86_64.rpm\nmod_proxy_html-2.4.6-97.el7_9.1.x86_64.rpm\nmod_session-2.4.6-97.el7_9.1.x86_64.rpm\nmod_ssl-2.4.6-97.el7_9.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server AUS (v. 7.2):\n\nSource:\nhttpd-2.4.6-40.el7_2.7.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-40.el7_2.7.noarch.rpm\n\nx86_64:\nhttpd-2.4.6-40.el7_2.7.x86_64.rpm\nhttpd-debuginfo-2.4.6-40.el7_2.7.x86_64.rpm\nhttpd-devel-2.4.6-40.el7_2.7.x86_64.rpm\nhttpd-tools-2.4.6-40.el7_2.7.x86_64.rpm\nmod_ssl-2.4.6-40.el7_2.7.x86_64.rpm\n\nRed Hat Enterprise Linux Server AUS (v. 7.3):\n\nSource:\nhttpd-2.4.6-45.el7_3.6.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-45.el7_3.6.noarch.rpm\n\nx86_64:\nhttpd-2.4.6-45.el7_3.6.x86_64.rpm\nhttpd-debuginfo-2.4.6-45.el7_3.6.x86_64.rpm\nhttpd-devel-2.4.6-45.el7_3.6.x86_64.rpm\nhttpd-tools-2.4.6-45.el7_3.6.x86_64.rpm\nmod_ssl-2.4.6-45.el7_3.6.x86_64.rpm\n\nRed Hat Enterprise Linux Server AUS (v. 7.4):\n\nSource:\nhttpd-2.4.6-67.el7_4.7.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-67.el7_4.7.noarch.rpm\n\nx86_64:\nhttpd-2.4.6-67.el7_4.7.x86_64.rpm\nhttpd-debuginfo-2.4.6-67.el7_4.7.x86_64.rpm\nhttpd-devel-2.4.6-67.el7_4.7.x86_64.rpm\nhttpd-tools-2.4.6-67.el7_4.7.x86_64.rpm\nmod_session-2.4.6-67.el7_4.7.x86_64.rpm\nmod_ssl-2.4.6-67.el7_4.7.x86_64.rpm\n\nRed Hat Enterprise Linux Server AUS (v. 7.6):\n\nSource:\nhttpd-2.4.6-89.el7_6.2.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-89.el7_6.2.noarch.rpm\n\nx86_64:\nhttpd-2.4.6-89.el7_6.2.x86_64.rpm\nhttpd-debuginfo-2.4.6-89.el7_6.2.x86_64.rpm\nhttpd-devel-2.4.6-89.el7_6.2.x86_64.rpm\nhttpd-tools-2.4.6-89.el7_6.2.x86_64.rpm\nmod_session-2.4.6-89.el7_6.2.x86_64.rpm\nmod_ssl-2.4.6-89.el7_6.2.x86_64.rpm\n\nRed Hat Enterprise Linux Server E4S (v. 7.6):\n\nSource:\nhttpd-2.4.6-89.el7_6.2.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-89.el7_6.2.noarch.rpm\n\nppc64le:\nhttpd-2.4.6-89.el7_6.2.ppc64le.rpm\nhttpd-debuginfo-2.4.6-89.el7_6.2.ppc64le.rpm\nhttpd-devel-2.4.6-89.el7_6.2.ppc64le.rpm\nhttpd-tools-2.4.6-89.el7_6.2.ppc64le.rpm\nmod_session-2.4.6-89.el7_6.2.ppc64le.rpm\nmod_ssl-2.4.6-89.el7_6.2.ppc64le.rpm\n\nx86_64:\nhttpd-2.4.6-89.el7_6.2.x86_64.rpm\nhttpd-debuginfo-2.4.6-89.el7_6.2.x86_64.rpm\nhttpd-devel-2.4.6-89.el7_6.2.x86_64.rpm\nhttpd-tools-2.4.6-89.el7_6.2.x86_64.rpm\nmod_session-2.4.6-89.el7_6.2.x86_64.rpm\nmod_ssl-2.4.6-89.el7_6.2.x86_64.rpm\n\nRed Hat Enterprise Linux Server TUS (v. 7.6):\n\nSource:\nhttpd-2.4.6-89.el7_6.2.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-89.el7_6.2.noarch.rpm\n\nx86_64:\nhttpd-2.4.6-89.el7_6.2.x86_64.rpm\nhttpd-debuginfo-2.4.6-89.el7_6.2.x86_64.rpm\nhttpd-devel-2.4.6-89.el7_6.2.x86_64.rpm\nhttpd-tools-2.4.6-89.el7_6.2.x86_64.rpm\nmod_session-2.4.6-89.el7_6.2.x86_64.rpm\nmod_ssl-2.4.6-89.el7_6.2.x86_64.rpm\n\nRed Hat Enterprise Linux Server AUS (v. 7.7):\n\nSource:\nhttpd-2.4.6-90.el7_7.1.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-90.el7_7.1.noarch.rpm\n\nx86_64:\nhttpd-2.4.6-90.el7_7.1.x86_64.rpm\nhttpd-debuginfo-2.4.6-90.el7_7.1.x86_64.rpm\nhttpd-devel-2.4.6-90.el7_7.1.x86_64.rpm\nhttpd-tools-2.4.6-90.el7_7.1.x86_64.rpm\nmod_session-2.4.6-90.el7_7.1.x86_64.rpm\nmod_ssl-2.4.6-90.el7_7.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server E4S (v. 7.7):\n\nSource:\nhttpd-2.4.6-90.el7_7.1.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-90.el7_7.1.noarch.rpm\n\nppc64le:\nhttpd-2.4.6-90.el7_7.1.ppc64le.rpm\nhttpd-debuginfo-2.4.6-90.el7_7.1.ppc64le.rpm\nhttpd-devel-2.4.6-90.el7_7.1.ppc64le.rpm\nhttpd-tools-2.4.6-90.el7_7.1.ppc64le.rpm\nmod_session-2.4.6-90.el7_7.1.ppc64le.rpm\nmod_ssl-2.4.6-90.el7_7.1.ppc64le.rpm\n\nx86_64:\nhttpd-2.4.6-90.el7_7.1.x86_64.rpm\nhttpd-debuginfo-2.4.6-90.el7_7.1.x86_64.rpm\nhttpd-devel-2.4.6-90.el7_7.1.x86_64.rpm\nhttpd-tools-2.4.6-90.el7_7.1.x86_64.rpm\nmod_session-2.4.6-90.el7_7.1.x86_64.rpm\nmod_ssl-2.4.6-90.el7_7.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server TUS (v. 7.7):\n\nSource:\nhttpd-2.4.6-90.el7_7.1.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-90.el7_7.1.noarch.rpm\n\nx86_64:\nhttpd-2.4.6-90.el7_7.1.x86_64.rpm\nhttpd-debuginfo-2.4.6-90.el7_7.1.x86_64.rpm\nhttpd-devel-2.4.6-90.el7_7.1.x86_64.rpm\nhttpd-tools-2.4.6-90.el7_7.1.x86_64.rpm\nmod_session-2.4.6-90.el7_7.1.x86_64.rpm\nmod_ssl-2.4.6-90.el7_7.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nhttpd-2.4.6-97.el7_9.1.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-97.el7_9.1.noarch.rpm\n\nppc64:\nhttpd-2.4.6-97.el7_9.1.ppc64.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.1.ppc64.rpm\nhttpd-devel-2.4.6-97.el7_9.1.ppc64.rpm\nhttpd-tools-2.4.6-97.el7_9.1.ppc64.rpm\nmod_session-2.4.6-97.el7_9.1.ppc64.rpm\nmod_ssl-2.4.6-97.el7_9.1.ppc64.rpm\n\nppc64le:\nhttpd-2.4.6-97.el7_9.1.ppc64le.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.1.ppc64le.rpm\nhttpd-devel-2.4.6-97.el7_9.1.ppc64le.rpm\nhttpd-tools-2.4.6-97.el7_9.1.ppc64le.rpm\nmod_session-2.4.6-97.el7_9.1.ppc64le.rpm\nmod_ssl-2.4.6-97.el7_9.1.ppc64le.rpm\n\ns390x:\nhttpd-2.4.6-97.el7_9.1.s390x.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.1.s390x.rpm\nhttpd-devel-2.4.6-97.el7_9.1.s390x.rpm\nhttpd-tools-2.4.6-97.el7_9.1.s390x.rpm\nmod_session-2.4.6-97.el7_9.1.s390x.rpm\nmod_ssl-2.4.6-97.el7_9.1.s390x.rpm\n\nx86_64:\nhttpd-2.4.6-97.el7_9.1.x86_64.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.1.x86_64.rpm\nhttpd-devel-2.4.6-97.el7_9.1.x86_64.rpm\nhttpd-tools-2.4.6-97.el7_9.1.x86_64.rpm\nmod_session-2.4.6-97.el7_9.1.x86_64.rpm\nmod_ssl-2.4.6-97.el7_9.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional AUS (v. 7.2):\n\nx86_64:\nhttpd-debuginfo-2.4.6-40.el7_2.7.x86_64.rpm\nmod_ldap-2.4.6-40.el7_2.7.x86_64.rpm\nmod_proxy_html-2.4.6-40.el7_2.7.x86_64.rpm\nmod_session-2.4.6-40.el7_2.7.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional AUS (v. 7.3):\n\nx86_64:\nhttpd-debuginfo-2.4.6-45.el7_3.6.x86_64.rpm\nmod_ldap-2.4.6-45.el7_3.6.x86_64.rpm\nmod_proxy_html-2.4.6-45.el7_3.6.x86_64.rpm\nmod_session-2.4.6-45.el7_3.6.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional AUS (v. 7.4):\n\nx86_64:\nhttpd-debuginfo-2.4.6-67.el7_4.7.x86_64.rpm\nmod_ldap-2.4.6-67.el7_4.7.x86_64.rpm\nmod_proxy_html-2.4.6-67.el7_4.7.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional AUS (v. 7.6):\n\nx86_64:\nhttpd-debuginfo-2.4.6-89.el7_6.2.x86_64.rpm\nmod_ldap-2.4.6-89.el7_6.2.x86_64.rpm\nmod_proxy_html-2.4.6-89.el7_6.2.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional E4S (v. 7.6):\n\nppc64le:\nhttpd-debuginfo-2.4.6-89.el7_6.2.ppc64le.rpm\nmod_ldap-2.4.6-89.el7_6.2.ppc64le.rpm\nmod_proxy_html-2.4.6-89.el7_6.2.ppc64le.rpm\n\nx86_64:\nhttpd-debuginfo-2.4.6-89.el7_6.2.x86_64.rpm\nmod_ldap-2.4.6-89.el7_6.2.x86_64.rpm\nmod_proxy_html-2.4.6-89.el7_6.2.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional TUS (v. 7.6):\n\nx86_64:\nhttpd-debuginfo-2.4.6-89.el7_6.2.x86_64.rpm\nmod_ldap-2.4.6-89.el7_6.2.x86_64.rpm\nmod_proxy_html-2.4.6-89.el7_6.2.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional AUS (v. 7.7):\n\nx86_64:\nhttpd-debuginfo-2.4.6-90.el7_7.1.x86_64.rpm\nmod_ldap-2.4.6-90.el7_7.1.x86_64.rpm\nmod_proxy_html-2.4.6-90.el7_7.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional E4S (v. 7.6):\n\nppc64le:\nhttpd-debuginfo-2.4.6-90.el7_7.1.ppc64le.rpm\nmod_ldap-2.4.6-90.el7_7.1.ppc64le.rpm\nmod_proxy_html-2.4.6-90.el7_7.1.ppc64le.rpm\n\nx86_64:\nhttpd-debuginfo-2.4.6-90.el7_7.1.x86_64.rpm\nmod_ldap-2.4.6-90.el7_7.1.x86_64.rpm\nmod_proxy_html-2.4.6-90.el7_7.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional TUS (v. 7.7):\n\nx86_64:\nhttpd-debuginfo-2.4.6-90.el7_7.1.x86_64.rpm\nmod_ldap-2.4.6-90.el7_7.1.x86_64.rpm\nmod_proxy_html-2.4.6-90.el7_7.1.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\nppc64:\nhttpd-debuginfo-2.4.6-97.el7_9.1.ppc64.rpm\nmod_ldap-2.4.6-97.el7_9.1.ppc64.rpm\nmod_proxy_html-2.4.6-97.el7_9.1.ppc64.rpm\n\nppc64le:\nhttpd-debuginfo-2.4.6-97.el7_9.1.ppc64le.rpm\nmod_ldap-2.4.6-97.el7_9.1.ppc64le.rpm\nmod_proxy_html-2.4.6-97.el7_9.1.ppc64le.rpm\n\ns390x:\nhttpd-debuginfo-2.4.6-97.el7_9.1.s390x.rpm\nmod_ldap-2.4.6-97.el7_9.1.s390x.rpm\nmod_proxy_html-2.4.6-97.el7_9.1.s390x.rpm\n\nx86_64:\nhttpd-debuginfo-2.4.6-97.el7_9.1.x86_64.rpm\nmod_ldap-2.4.6-97.el7_9.1.x86_64.rpm\nmod_proxy_html-2.4.6-97.el7_9.1.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nhttpd-2.4.6-97.el7_9.1.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-97.el7_9.1.noarch.rpm\n\nx86_64:\nhttpd-2.4.6-97.el7_9.1.x86_64.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.1.x86_64.rpm\nhttpd-devel-2.4.6-97.el7_9.1.x86_64.rpm\nhttpd-tools-2.4.6-97.el7_9.1.x86_64.rpm\nmod_session-2.4.6-97.el7_9.1.x86_64.rpm\nmod_ssl-2.4.6-97.el7_9.1.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nx86_64:\nhttpd-debuginfo-2.4.6-97.el7_9.1.x86_64.rpm\nmod_ldap-2.4.6-97.el7_9.1.x86_64.rpm\nmod_proxy_html-2.4.6-97.el7_9.1.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-40438\nhttps://access.redhat.com/security/updates/classification/#important\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2021 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYWfxl9zjgjWX9erEAQiHUQ//augswljuYjRC9IwK5XgDLjrigqEshGaa\nv5C3gfY1a4SwE/x0FQCawiBmh+8VMv5as3c0eeU5C6QB/05BSBycgboIZG3H6HdF\nsNOxNzkcG6WmooNZNJ0/c/ykvkn0tRq812yzDTxr2IB3+LxH5cYaw9wQnt62l3yF\ngjtWedH9xntGpqrVK17NVe/o9Jg4tL0CEPDk+NrbXeSgwnAnLKsLjpwQT72+GVJx\nZLC9DYkFguzQN+wckKPRfxGtce0GtuXHkpEShCnH32RPrNyImFMn/Nc8IyOmTadT\njCd07H2MNH6+Txxt6dh2aI+SI5JwdeGRNP7IXs86H+KPNZhphS/BqFt3qHGTsw4l\n3f6jGfywbWfNdLw+s0qHaWvJ2ZgTw7O1QPncfozKn8cU3Rw9OunN+r2yVTcU3KW9\n0ZGHpej56UhthE1qqS5vQjUPQ6SQgC1QHGDNgYkZk0mqIL3Vkv6gEqIF8TH4ezxZ\nLhZcY3N6HI5LC7568idurO0uLTdjPZq8+xMmDDAXA4QvIxOsOk6x4Rf1dzCtDpGo\nQSzxx6a6uYXF7EWIlkaR/qY5zcyk4i8aJN8yzrxu6oNulVSIsSuMnb00SIOk8cX7\nlUt5V1/RhnWSRytHE5Tz68PyfNyqgJwFDg8D/p0nxZE1Q3tXmgtLwPOY0l2zkkjB\n95kGnxWCYaA=\n=gPcK\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. 8) - aarch64, noarch, ppc64le, s390x, x86_64\n\n3. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. This software, such as Apache HTTP Server, is\ncommon to multiple JBoss middleware products, and is packaged under Red Hat\nJBoss Core Services to allow for faster distribution of updates, and for a\nmore consistent update experience. Refer to the Release Notes for information on the security fix\nincluded in this release. Solution:\n\nBefore applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on. \n\nThe References section of this erratum contains a download link for the\nupdate. You must be logged in to download the update. ==========================================================================\nUbuntu Security Notice USN-5090-4\nSeptember 28, 2021\n\napache2 regression\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 16.04 ESM\n\nSummary:\n\nUSN-5090-1 introduced a regression in Apache HTTP Server. One of the upstream\nfixes introduced a regression in UDS URIs. This update fixes the problem. \n\nOriginal advisory details:\n\n James Kettle discovered that the Apache HTTP Server HTTP/2 module\n incorrectly handled certain crafted methods. A remote attacker could\n possibly use this issue to perform request splitting or cache poisoning\n attacks. \n (CVE-2021-34798)\n \n Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly\n handled certain request uri-paths. \n This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04. If the server was configured with third-party modules, a remote\n attacker could use this issue to cause the server to crash, resulting in a\n denial of service, or possibly execute arbitrary code. (CVE-2021-39275)\n \n It was discovered that the Apache mod_proxy module incorrectly handled\n certain request uri-paths. \n (CVE-2021-40438)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 16.04 ESM:\n apache2 2.4.18-2ubuntu3.17+esm3\n apache2-bin 2.4.18-2ubuntu3.17+esm3\n\nIn general, a standard system update will make all the necessary changes",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-40438"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-004150"
},
{
"db": "ZDI",
"id": "ZDI-24-812"
},
{
"db": "CNVD",
"id": "CNVD-2022-03224"
},
{
"db": "VULHUB",
"id": "VHN-401786"
},
{
"db": "VULMON",
"id": "CVE-2021-40438"
},
{
"db": "PACKETSTORM",
"id": "164513"
},
{
"db": "PACKETSTORM",
"id": "164493"
},
{
"db": "PACKETSTORM",
"id": "164505"
},
{
"db": "PACKETSTORM",
"id": "164448"
},
{
"db": "PACKETSTORM",
"id": "164443"
},
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
}
],
"trust": 3.6
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-40438",
"trust": 4.6
},
{
"db": "SIEMENS",
"id": "SSA-685781",
"trust": 1.7
},
{
"db": "TENABLE",
"id": "TNS-2021-17",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2021-004150",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-22691",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-24-812",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2022-03224",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "168072",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "164513",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "164505",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "164448",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "164329",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "164460",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "164318",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.7",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.2",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3591",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3229",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3250",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3482",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3429",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.5",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3784",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3387",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3341",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3524",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.3",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3373",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.2978",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3366",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3357",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3148",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021101005",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022041953",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021091707",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021112904",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021101340",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021101922",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022011836",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022060811",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022042112",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021101906",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021102601",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021092301",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021101116",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021111732",
"trust": 0.6
},
{
"db": "ICS CERT",
"id": "ICSA-22-167-06",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1094",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-401786",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2021-40438",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "164493",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "164443",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "164305",
"trust": 0.1
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-24-812"
},
{
"db": "CNVD",
"id": "CNVD-2022-03224"
},
{
"db": "VULHUB",
"id": "VHN-401786"
},
{
"db": "VULMON",
"id": "CVE-2021-40438"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-004150"
},
{
"db": "PACKETSTORM",
"id": "164513"
},
{
"db": "PACKETSTORM",
"id": "164493"
},
{
"db": "PACKETSTORM",
"id": "164505"
},
{
"db": "PACKETSTORM",
"id": "164448"
},
{
"db": "PACKETSTORM",
"id": "164443"
},
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1094"
},
{
"db": "NVD",
"id": "CVE-2021-40438"
}
]
},
"id": "VAR-202109-1802",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03224"
},
{
"db": "VULHUB",
"id": "VHN-401786"
}
],
"trust": 1.3031922749999998
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03224"
}
]
},
"last_update_date": "2024-11-29T20:14:24.364000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "hitachi-sec-2021-139",
"trust": 0.8,
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"title": "Hewlett Packard Enterprise has issued an update to correct this vulnerability.",
"trust": 0.7,
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04586en_us\u0026docLocale=en_US"
},
{
"title": "Patch for Apache HTTP Server mod_proxy server request forgery vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/313356"
},
{
"title": "Apache HTTP Server Fixes for code issue vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=178533"
},
{
"title": "Red Hat: CVE-2021-40438",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2021-40438"
},
{
"title": "Debian Security Advisories: DSA-4982-1 apache2 -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=93a29f7ecf9a6aaba79d3b3320aa4b85"
},
{
"title": "Arch Linux Issues: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2021-40438 log"
},
{
"title": "Hitachi Security Advisories: Vulnerability in Hitachi Command Suite, Hitachi Ops Center API Configuration Manager\u00ef\u00bc\u0152Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories\u0026qid=hitachi-sec-2021-139"
},
{
"title": "Tenable Security Advisories: [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.16.0 to 5.19.1: Patch 202110.1",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories\u0026qid=TNS-2021-17"
},
{
"title": "Amazon Linux AMI: ALAS-2021-1543",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2021-1543"
},
{
"title": "Amazon Linux 2: ALAS2-2021-1716",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2-2021-1716"
},
{
"title": "Cisco: Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts\u0026qid=cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"title": "CVE-2021-40438 exploit PoC with Docker setup",
"trust": 0.1,
"url": "https://github.com/sixpacksecurity/CVE-2021-40438 "
},
{
"title": "CVE-2021-40438",
"trust": 0.1,
"url": "https://github.com/gassara-kys/CVE-2021-40438 "
},
{
"title": "CVE-2021-40438",
"trust": 0.1,
"url": "https://github.com/Kashkovsky/CVE-2021-40438 "
},
{
"title": "scan_ssrf.sh",
"trust": 0.1,
"url": "https://github.com/vsh00t/BB-PoC "
},
{
"title": "CVE-2021-40438",
"trust": 0.1,
"url": "https://github.com/xiaojiangxl/CVE-2021-40438 "
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-24-812"
},
{
"db": "CNVD",
"id": "CNVD-2022-03224"
},
{
"db": "VULMON",
"id": "CVE-2021-40438"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-004150"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1094"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-918",
"trust": 1.1
},
{
"problemtype": "Server-side request forgery (CWE-918) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-401786"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-004150"
},
{
"db": "NVD",
"id": "CVE-2021-40438"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.3,
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"trust": 2.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-40438"
},
{
"trust": 1.7,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf"
},
{
"trust": 1.7,
"url": "https://security.netapp.com/advisory/ntap-20211008-0004/"
},
{
"trust": 1.7,
"url": "https://www.tenable.com/security/tns-2021-17"
},
{
"trust": 1.7,
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"trust": 1.7,
"url": "https://security.gentoo.org/glsa/202208-20"
},
{
"trust": 1.7,
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"trust": 1.7,
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html"
},
{
"trust": 1.1,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-apache-httpd-2.4.49-vwl69swq"
},
{
"trust": 1.1,
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"trust": 1.1,
"url": "https://access.redhat.com/security/cve/cve-2021-40438"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3cbugs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/spbr6wuybjnachke65spl7tjohx7rhwd/"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/zncysr3bxt36fff4xtcpl3hdqk4vp45r/"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://support.hpe.com/hpesc/public/docdisplay?docid=hpesbgn04586en_us\u0026doclocale=en_us"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/spbr6wuybjnachke65spl7tjohx7rhwd/"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/zncysr3bxt36fff4xtcpl3hdqk4vp45r/"
},
{
"trust": 0.6,
"url": "httpd.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37@%3cbugs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00@%3cusers."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3cusers."
},
{
"trust": 0.6,
"url": "httpd-2.4.49-vwl69swq"
},
{
"trust": 0.6,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-apache-"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a@%3cusers."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3cusers."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3cusers."
},
{
"trust": 0.6,
"url": "httpd.apache.org/security/vulnerabilities_24.html"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3cusers."
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164505/red-hat-security-advisory-2021-3836-01.html"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021101906"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3229"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021112904"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3524"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022041953"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/6528442"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021111732"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3429"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164448/red-hat-security-advisory-2021-3746-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3373"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3357"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3250"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3591"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021102601"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/168072/gentoo-linux-security-advisory-202208-20.html"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021101116"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.7"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164318/ubuntu-security-notice-usn-5090-3.html"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/6520016"
},
{
"trust": 0.6,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-167-06"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.2978"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164460/red-hat-security-advisory-2021-3754-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.3"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.2"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.5"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/6493841"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022042112"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022060811"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021092301"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3387"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3341"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021101922"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164329/ubuntu-security-notice-usn-5090-4.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3148"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164513/red-hat-security-advisory-2021-3856-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3366"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3784"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022011836"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021101340"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021091707"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/apache-http-server-four-vulnerabilities-36444"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3482"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021101005"
},
{
"trust": 0.5,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.5,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33193"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-34798"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-39275"
},
{
"trust": 0.2,
"url": "https://ubuntu.com/security/notices/usn-5090-1"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-36160"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37@%3cbugs.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:3856"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:3816"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-26691"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-26691"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:3836"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:3746"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:3745"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.17"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.5"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.46-4ubuntu1.2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/bugs/xxxxxx"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-5090-4"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-24-812"
},
{
"db": "CNVD",
"id": "CNVD-2022-03224"
},
{
"db": "VULHUB",
"id": "VHN-401786"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-004150"
},
{
"db": "PACKETSTORM",
"id": "164513"
},
{
"db": "PACKETSTORM",
"id": "164493"
},
{
"db": "PACKETSTORM",
"id": "164505"
},
{
"db": "PACKETSTORM",
"id": "164448"
},
{
"db": "PACKETSTORM",
"id": "164443"
},
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1094"
},
{
"db": "NVD",
"id": "CVE-2021-40438"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-24-812"
},
{
"db": "CNVD",
"id": "CNVD-2022-03224"
},
{
"db": "VULHUB",
"id": "VHN-401786"
},
{
"db": "VULMON",
"id": "CVE-2021-40438"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-004150"
},
{
"db": "PACKETSTORM",
"id": "164513"
},
{
"db": "PACKETSTORM",
"id": "164493"
},
{
"db": "PACKETSTORM",
"id": "164505"
},
{
"db": "PACKETSTORM",
"id": "164448"
},
{
"db": "PACKETSTORM",
"id": "164443"
},
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1094"
},
{
"db": "NVD",
"id": "CVE-2021-40438"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2024-06-18T00:00:00",
"db": "ZDI",
"id": "ZDI-24-812"
},
{
"date": "2022-01-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-03224"
},
{
"date": "2021-09-16T00:00:00",
"db": "VULHUB",
"id": "VHN-401786"
},
{
"date": "2021-09-16T00:00:00",
"db": "VULMON",
"id": "CVE-2021-40438"
},
{
"date": "2021-11-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-004150"
},
{
"date": "2021-10-14T15:26:45",
"db": "PACKETSTORM",
"id": "164513"
},
{
"date": "2021-10-13T14:52:48",
"db": "PACKETSTORM",
"id": "164493"
},
{
"date": "2021-10-13T15:23:01",
"db": "PACKETSTORM",
"id": "164505"
},
{
"date": "2021-10-08T15:22:49",
"db": "PACKETSTORM",
"id": "164448"
},
{
"date": "2021-10-08T15:12:22",
"db": "PACKETSTORM",
"id": "164443"
},
{
"date": "2021-09-28T15:06:35",
"db": "PACKETSTORM",
"id": "164305"
},
{
"date": "2021-09-29T14:50:01",
"db": "PACKETSTORM",
"id": "164329"
},
{
"date": "2021-09-16T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202109-1094"
},
{
"date": "2021-09-16T15:15:07.633000",
"db": "NVD",
"id": "CVE-2021-40438"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2024-08-15T00:00:00",
"db": "ZDI",
"id": "ZDI-24-812"
},
{
"date": "2022-01-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-03224"
},
{
"date": "2022-10-05T00:00:00",
"db": "VULHUB",
"id": "VHN-401786"
},
{
"date": "2023-11-07T00:00:00",
"db": "VULMON",
"id": "CVE-2021-40438"
},
{
"date": "2021-11-16T05:31:00",
"db": "JVNDB",
"id": "JVNDB-2021-004150"
},
{
"date": "2022-08-16T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202109-1094"
},
{
"date": "2024-11-21T06:24:06.787000",
"db": "NVD",
"id": "CVE-2021-40438"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1094"
}
],
"trust": 0.8
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0HTTP\u00a0Server\u00a0 Vulnerability in which a request is forwarded to a remote user\u0027s selected origin server in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-004150"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "code problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202109-1094"
}
],
"trust": 0.6
}
}
var-202103-1463
Vulnerability from variot
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j). OpenSSL is an open source general encryption library of the Openssl team that can implement the Secure Sockets Layer (SSLv2/v3) and Transport Layer Security (TLSv1) protocols. The product supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, secure hash algorithms, etc. On March 25, 2021, the OpenSSL Project released a security advisory, OpenSSL Security Advisory [25 March 2021], that disclosed two vulnerabilities. Exploitation of these vulnerabilities could allow an malicious user to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition. This advisory is available at the following link:tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd.
This issue was reported to OpenSSL on 18th March 2021 by Benjamin Kaduk from Akamai and was discovered by Xiang Ding and others at Akamai. The fix was developed by Tomáš Mráz.
NULL pointer deref in signature_algorithms processing (CVE-2021-3449)
Severity: High
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack.
A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration).
This issue was reported to OpenSSL on 17th March 2021 by Nokia. The fix was developed by Peter Kästle and Samuel Sapalski from Nokia.
Note
OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html
OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind.
References
URL for this Security Advisory: https://www.openssl.org/news/secadv/20210325.txt
Note: the online version of the advisory may be updated with additional details over time.
For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html .
Bug Fix(es):
This update includes various bug fixes and enhancements. Bugs fixed (https://bugzilla.redhat.com/):
1803849 - [RFE] Include per volume encryption with Vault integration in RHCS 4.1 1814681 - [RFE] use topologySpreadConstraints to evenly spread OSDs across hosts 1840004 - CVE-2020-7608 nodejs-yargs-parser: prototype pollution vulnerability 1850089 - OBC CRD is outdated and leads to missing columns in get queries 1860594 - Toolbox pod should have toleration for OCS tainted nodes 1861104 - OCS podDisruptionBudget prevents successful OCP upgrades 1861878 - [RFE] use appropriate PDB values for OSD 1866301 - [RHOCS Usability Study][Installation] “Create storage cluster” should be a part of the installation flow or need to be emphasized as a crucial step. 1915261 - Deleted MCG CRs are stuck in a 'Deleting' state 1915445 - Uninstall 4.7: Storagecluster deletion stuck on a partially created KMS enabled OCS cluster + support TLS configuration for KMS 1915644 - update noobaa db label in must-gather to collect db pod in noobaa dir 1915698 - There is missing noobaa-core-0 pod after upgrade from OCS 4.6 to OCS 4.7 1915706 - [Azure][RBD] PV taking longer time ~ 9 minutes to get deleted 1915730 - [ocs-operator] Create public route for ceph-rgw service 1915737 - Improve ocs-operator logging during uninstall to be more verbose, to understand reasons for failures - e.g. In addition to persistent storage, Red Hat OpenShift Container Storage provisions a multicloud data management service with an S3 compatible API.
Security Fix(es):
- NooBaa: noobaa-operator leaking RPC AuthToken into log files (CVE-2021-3528)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
-
Currently, a newly restored PVC cannot be mounted if some of the OpenShift Container Platform nodes are running on a version of Red Hat Enterprise Linux which is less than 8.2, and the snapshot from which the PVC was restored is deleted. Workaround: Do not delete the snapshot from which the PVC was restored until the restored PVC is deleted. (BZ#1962483)
-
Previously, the default backingstore was not created on AWS S3 when OpenShift Container Storage was deployed, due to incorrect identification of AWS S3. With this update, the default backingstore gets created when OpenShift Container Storage is deployed on AWS S3. (BZ#1927307)
-
Previously, log messages were printed to the endpoint pod log even if the debug option was not set. With this update, the log messages are printed to the endpoint pod log only when the debug option is set. (BZ#1938106)
-
Previously, the PVCs could not be provisioned as the
rook-ceph-mdsdid not register the pod IP on the monitor servers, and hence every mount on the filesystem timed out, resulting in CephFS volume provisioning failure. With this update, an argument--public-addr=podIPis added to the MDS pod when the host network is not enabled, and hence the CephFS volume provisioning does not fail. (BZ#1949558) -
Previously, OpenShift Container Storage 4.2 clusters were not updated with the correct cache value, and hence MDSs in standby-replay might report an oversized cache, as rook did not apply the
mds_cache_memory_limitargument during upgrades. With this update, themds_cache_memory_limitargument is applied during upgrades and the mds daemon operates normally. (BZ#1951348) -
Previously, the coredumps were not generated in the correct location as rook was setting the config option
log_fileto an empty string since logging happened on stdout and not on the files, and hence Ceph read the value of thelog_fileto build the dump path. With this update, rook does not set thelog_fileand keeps Ceph's internal default, and hence the coredumps are generated in the correct location and are accessible under/var/log/ceph/. (BZ#1938049) -
Previously, Ceph became inaccessible, as the mons lose quorum if a mon pod was drained while another mon was failing over. With this update, voluntary mon drains are prevented while a mon is failing over, and hence Ceph does not become inaccessible. (BZ#1946573)
-
Previously, the mon quorum was at risk, as the operator could erroneously remove the new mon if the operator was restarted during a mon failover. With this update, the operator completes the same mon failover after the operator is restarted, and hence the mon quorum is more reliable in the node drains and mon failover scenarios. Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1938106 - [GSS][RFE]Reduce debug level for logs of Nooba Endpoint pod 1950915 - XSS Vulnerability with Noobaa version 5.5.0-3bacc6b 1951348 - [GSS][CephFS] health warning "MDS cache is too large (3GB/1GB); 0 inodes in use by clients, 0 stray files" for the standby-replay 1951600 - [4.6.z][Clone of BZ #1936545] setuid and setgid file bits are not retained after a OCS CephFS CSI restore 1955601 - CVE-2021-3528 NooBaa: noobaa-operator leaking RPC AuthToken into log files 1957189 - [Rebase] Use RHCS4.2z1 container image with OCS 4..6.5[may require doc update for external mode min supported RHCS version] 1959980 - When a node is being drained, increase the mon failover timeout to prevent unnecessary mon failover 1959983 - [GSS][mon] rook-operator scales mons to 4 after healthCheck timeout 1962483 - [RHEL7][RBD][4.6.z clone] FailedMount error when using restored PVC on app pod
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.10.3 security update Advisory ID: RHSA-2022:0056-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2022:0056 Issue date: 2022-03-10 CVE Names: CVE-2014-3577 CVE-2016-10228 CVE-2017-14502 CVE-2018-20843 CVE-2018-1000858 CVE-2019-8625 CVE-2019-8710 CVE-2019-8720 CVE-2019-8743 CVE-2019-8764 CVE-2019-8766 CVE-2019-8769 CVE-2019-8771 CVE-2019-8782 CVE-2019-8783 CVE-2019-8808 CVE-2019-8811 CVE-2019-8812 CVE-2019-8813 CVE-2019-8814 CVE-2019-8815 CVE-2019-8816 CVE-2019-8819 CVE-2019-8820 CVE-2019-8823 CVE-2019-8835 CVE-2019-8844 CVE-2019-8846 CVE-2019-9169 CVE-2019-13050 CVE-2019-13627 CVE-2019-14889 CVE-2019-15903 CVE-2019-19906 CVE-2019-20454 CVE-2019-20807 CVE-2019-25013 CVE-2020-1730 CVE-2020-3862 CVE-2020-3864 CVE-2020-3865 CVE-2020-3867 CVE-2020-3868 CVE-2020-3885 CVE-2020-3894 CVE-2020-3895 CVE-2020-3897 CVE-2020-3899 CVE-2020-3900 CVE-2020-3901 CVE-2020-3902 CVE-2020-8927 CVE-2020-9802 CVE-2020-9803 CVE-2020-9805 CVE-2020-9806 CVE-2020-9807 CVE-2020-9843 CVE-2020-9850 CVE-2020-9862 CVE-2020-9893 CVE-2020-9894 CVE-2020-9895 CVE-2020-9915 CVE-2020-9925 CVE-2020-9952 CVE-2020-10018 CVE-2020-11793 CVE-2020-13434 CVE-2020-14391 CVE-2020-15358 CVE-2020-15503 CVE-2020-25660 CVE-2020-25677 CVE-2020-27618 CVE-2020-27781 CVE-2020-29361 CVE-2020-29362 CVE-2020-29363 CVE-2021-3121 CVE-2021-3326 CVE-2021-3449 CVE-2021-3450 CVE-2021-3516 CVE-2021-3517 CVE-2021-3518 CVE-2021-3520 CVE-2021-3521 CVE-2021-3537 CVE-2021-3541 CVE-2021-3733 CVE-2021-3749 CVE-2021-20305 CVE-2021-21684 CVE-2021-22946 CVE-2021-22947 CVE-2021-25215 CVE-2021-27218 CVE-2021-30666 CVE-2021-30761 CVE-2021-30762 CVE-2021-33928 CVE-2021-33929 CVE-2021-33930 CVE-2021-33938 CVE-2021-36222 CVE-2021-37750 CVE-2021-39226 CVE-2021-41190 CVE-2021-43813 CVE-2021-44716 CVE-2021-44717 CVE-2022-0532 CVE-2022-21673 CVE-2022-24407 =====================================================================
- Summary:
Red Hat OpenShift Container Platform release 4.10.3 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.3. See the following advisory for the RPM packages for this release:
https://access.redhat.com/errata/RHSA-2022:0055
Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:
https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html
Security Fix(es):
- gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation (CVE-2021-3121)
- grafana: Snapshot authentication bypass (CVE-2021-39226)
- golang: net/http: limit growth of header canonicalization cache (CVE-2021-44716)
- nodejs-axios: Regular expression denial of service in trim function (CVE-2021-3749)
- golang: syscall: don't close fd 0 on ForkExec error (CVE-2021-44717)
- grafana: Forward OAuth Identity Token can allow users to access some data sources (CVE-2022-21673)
- grafana: directory traversal vulnerability (CVE-2021-43813)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
You may download the oc tool and use it to inspect release image metadata as follows:
(For x86_64 architecture)
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.10.3-x86_64
The image digest is sha256:7ffe4cd612be27e355a640e5eec5cd8f923c1400d969fd590f806cffdaabcc56
(For s390x architecture)
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.10.3-s390x
The image digest is sha256:4cf21a9399da1ce8427246f251ae5dedacfc8c746d2345f9cfe039ed9eda3e69
(For ppc64le architecture)
$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.10.3-ppc64le
The image digest is sha256:4ee571da1edf59dfee4473aa4604aba63c224bf8e6bcf57d048305babbbde93c
All OpenShift Container Platform 4.10 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html
- Solution:
For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for moderate instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html
Details on how to access this content are available at https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html
- Bugs fixed (https://bugzilla.redhat.com/):
1808240 - Always return metrics value for pods under the user's namespace
1815189 - feature flagged UI does not always become available after operator installation
1825034 - e2e: Mock CSI tests fail on IBM ROKS clusters
1826225 - edge terminated h2 (gRPC) connections need a haproxy template change to work correctly
1860774 - csr for vSphere egress nodes were not approved automatically during cert renewal
1878106 - token inactivity timeout is not shortened after oauthclient/oauth config values are lowered
1878925 - 'oc adm upgrade --to ...' rejects versions which occur only in history, while the cluster-version operator supports history fallback
1880738 - origin e2e test deletes original worker
1882983 - oVirt csi driver should refuse to provision RWX and ROX PV
1886450 - Keepalived router id check not documented for RHV/VMware IPI
1889488 - The metrics endpoint for the Scheduler is not protected by RBAC
1894431 - Router pods fail to boot if the SSL certificate applied is missing an empty line at the bottom
1896474 - Path based routing is broken for some combinations
1897431 - CIDR support for additional network attachment with the bridge CNI plug-in
1903408 - NodePort externalTrafficPolicy does not work for ovn-kubernetes
1907433 - Excessive logging in image operator
1909906 - The router fails with PANIC error when stats port already in use
1911173 - [MSTR-998] Many charts' legend names show {{}} instead of words
1914053 - pods assigned with Multus whereabouts IP get stuck in ContainerCreating state after node rebooting.
1916169 - a reboot while MCO is applying changes leaves the node in undesirable state and MCP looks fine (UPDATED=true)
1917893 - [ovirt] install fails: due to terraform error "Cannot attach Virtual Disk: Disk is locked" on vm resource
1921627 - GCP UPI installation failed due to exceeding gcp limitation of instance group name
1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
1926522 - oc adm catalog does not clean temporary files
1927478 - Default CatalogSources deployed by marketplace do not have toleration for tainted nodes.
1928141 - kube-storage-version-migrator constantly reporting type "Upgradeable" status Unknown
1928285 - [LSO][OCS][arbiter] OCP Console shows no results while in fact underlying setup of LSO localvolumeset and it's storageclass is not yet finished, confusing users
1931594 - [sig-cli] oc --request-timeout works as expected fails frequently on s390x
1933847 - Prometheus goes unavailable (both instances down) during 4.8 upgrade
1937085 - RHV UPI inventory playbook missing guarantee_memory
1937196 - [aws ebs csi driver] events for block volume expansion may cause confusion
1938236 - vsphere-problem-detector does not support overriding log levels via storage CR
1939401 - missed labels for CMO/openshift-state-metric/telemeter-client/thanos-querier pods
1939435 - Setting an IPv6 address in noProxy field causes error in openshift installer
1939552 - [sig-api-machinery] CustomResourcePublishOpenAPI [Privileged:ClusterAdmin] works for CRD preserving unknown fields in an embedded object [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]
1942913 - ThanosSidecarUnhealthy isn't resilient to WAL replays.
1943363 - [ovn] CNO should gracefully terminate ovn-northd
1945274 - ostree-finalize-staged.service failed while upgrading a rhcos node to 4.6.17
1948080 - authentication should not set Available=False APIServices_Error with 503s
1949262 - Prometheus Statefulsets should have 2 replicas and hard affinity set
1949672 - [GCP] Update 4.8 UPI template to match ignition version: 3.2.0
1950827 - [LSO] localvolumediscoveryresult name is not friendly to customer
1952576 - csv_succeeded metric not present in olm-operator for all successful CSVs
1953264 - "remote error: tls: bad certificate" logs in prometheus-operator container
1955300 - Machine config operator reports unavailable for 23m during upgrade
1955489 - Alertmanager Statefulsets should have 2 replicas and hard affinity set
1955490 - Thanos ruler Statefulsets should have 2 replicas and hard affinity set
1955544 - [IPI][OSP] densed master-only installation with 0 workers fails due to missing worker security group on masters
1956496 - Needs SR-IOV Docs Upstream
1956739 - Permission for authorized_keys for core user changes from core user to root when changed the pull secret
1956776 - [vSphere] Installer should do pre-check to ensure user-provided network name is valid
1956964 - upload a boot-source to OpenShift virtualization using the console
1957547 - [RFE]VM name is not auto filled in dev console
1958349 - ovn-controller doesn't release the memory after cluster-density run
1959352 - [scale] failed to get pod annotation: timed out waiting for annotations
1960378 - icsp allows mirroring of registry root - install-config imageContentSources does not
1960674 - Broken test: [sig-imageregistry][Serial][Suite:openshift/registry/serial] Image signature workflow can push a signed image to openshift registry and verify it [Suite:openshift/conformance/serial]
1961317 - storage ClusterOperator does not declare ClusterRoleBindings in relatedObjects
1961391 - String updates
1961509 - DHCP daemon pod should have CPU and memory requests set but not limits
1962066 - Edit machine/machineset specs not working
1962206 - openshift-multus/dhcp-daemon set should meet platform requirements for update strategy that have maxUnavailable update of 10 or 33 percent
1963053 - oc whoami --show-console should show the web console URL, not the server api URL
1964112 - route SimpleAllocationPlugin: host name validation errors: spec.host: Invalid value: ... must be no more than 63 characters
1964327 - Support containers with name:tag@digest
1964789 - Send keys and disconnect does not work for VNC console
1965368 - ClusterQuotaAdmission received non-meta object - message constantly reported in OpenShift Container Platform 4.7
1966445 - Unmasking a service doesn't work if it masked using MCO
1966477 - Use GA version in KAS/OAS/OauthAS to avoid: "audit.k8s.io/v1beta1" is deprecated and will be removed in a future release, use "audit.k8s.io/v1" instead
1966521 - kube-proxy's userspace implementation consumes excessive CPU
1968364 - [Azure] when using ssh type ed25519 bootstrap fails to come up
1970021 - nmstate does not persist its configuration due to overlay systemd-connections-merged mount
1970218 - MCO writes incorrect file contents if compression field is specified
1970331 - [sig-auth][Feature:SCC][Early] should not have pod creation failures during install [Suite:openshift/conformance/parallel]
1970805 - Cannot create build when docker image url contains dir structure
1972033 - [azure] PV region node affinity is failure-domain.beta.kubernetes.io instead of topology.kubernetes.io
1972827 - image registry does not remain available during upgrade
1972962 - Should set the minimum value for the --max-icsp-size flag of oc adm catalog mirror
1973447 - ovn-dbchecker peak memory spikes to ~500MiB during cluster-density run
1975826 - ovn-kubernetes host directed traffic cannot be offloaded as CT zone 64000 is not established
1976301 - [ci] e2e-azure-upi is permafailing
1976399 - During the upgrade from OpenShift 4.5 to OpenShift 4.6 the election timers for the OVN north and south databases did not change.
1976674 - CCO didn't set Upgradeable to False when cco mode is configured to Manual on azure platform
1976894 - Unidling a StatefulSet does not work as expected
1977319 - [Hive] Remove stale cruft installed by CVO in earlier releases
1977414 - Build Config timed out waiting for condition 400: Bad Request
1977929 - [RFE] Display Network Attachment Definitions from openshift-multus namespace during OCS deployment via UI using Multus
1978528 - systemd-coredump started and failed intermittently for unknown reasons
1978581 - machine-config-operator: remove runlevel from mco namespace
1979562 - Cluster operators: don't show messages when neither progressing, degraded or unavailable
1979962 - AWS SDN Network Stress tests have not passed in 4.9 release-openshift-origin-installer-e2e-aws-sdn-network-stress-4.9
1979966 - OCP builds always fail when run on RHEL7 nodes
1981396 - Deleting pool inside pool page the pool stays in Ready phase in the heading
1981549 - Machine-config daemon does not recover from broken Proxy configuration
1981867 - [sig-cli] oc explain should contain proper fields description for special types [Suite:openshift/conformance/parallel]
1981941 - Terraform upgrade required in openshift-installer to resolve multiple issues
1982063 - 'Control Plane' is not translated in Simplified Chinese language in Home->Overview page
1982498 - Default registry credential path should be adjusted to use containers/auth.json for oc commands
1982662 - Workloads - DaemonSets - Add storage: i18n misses
1982726 - kube-apiserver audit logs show a lot of 404 errors for DELETE "/secrets/encryption-config" on single node clusters
1983758 - upgrades are failing on disruptive tests
1983964 - Need Device plugin configuration for the NIC "needVhostNet" & "isRdma"
1984592 - global pull secret not working in OCP4.7.4+ for additional private registries
1985073 - new-in-4.8 ExtremelyHighIndividualControlPlaneCPU fires on some GCP update jobs
1985486 - Cluster Proxy not used during installation on OSP with Kuryr
1985724 - VM Details Page missing translations
1985838 - [OVN] CNO exportNetworkFlows does not clear collectors when deleted
1985933 - Downstream image registry recommendation
1985965 - oVirt CSI driver does not report volume stats
1986216 - [scale] SNO: Slow Pod recovery due to "timed out waiting for OVS port binding"
1986237 - "MachineNotYetDeleted" in Pending state , alert not fired
1986239 - crictl create fails with "PID namespace requested, but sandbox infra container invalid"
1986302 - console continues to fetch prometheus alert and silences for normal user
1986314 - Current MTV installation for KubeVirt import flow creates unusable Forklift UI
1986338 - error creating list of resources in Import YAML
1986502 - yaml multi file dnd duplicates previous dragged files
1986819 - fix string typos for hot-plug disks
1987044 - [OCPV48] Shutoff VM is being shown as "Starting" in WebUI when using spec.runStrategy Manual/RerunOnFailure
1987136 - Declare operatorframework.io/arch. labels for all operators
1987257 - Go-http-client user-agent being used for oc adm mirror requests
1987263 - fsSpaceFillingUpWarningThreshold not aligned to Kubernetes Garbage Collection Threshold
1987445 - MetalLB integration: All gateway routers in the cluster answer ARP requests for LoadBalancer services IP
1988406 - SSH key dropped when selecting "Customize virtual machine" in UI
1988440 - Network operator changes ovnkube-config too early causing ovnkube-master pods to crashloop during cluster upgrade
1988483 - Azure drop ICMP need to frag FRAG when using OVN: openshift-apiserver becomes False after env runs some time due to communication between one master to pods on another master fails with "Unable to connect to the server"
1988879 - Virtual media based deployment fails on Dell servers due to pending Lifecycle Controller jobs
1989438 - expected replicas is wrong
1989502 - Developer Catalog is disappearing after short time
1989843 - 'More' and 'Show Less' functions are not translated on several page
1990014 - oc debug Upgradeable: false when HA workload is incorrectly spread
1996023 - kubernetes.io/hostname values are larger than filter when create localvolumeset from webconsole
1996108 - Allow backwards compatibility of shared gateway mode to inject host-based routes into OVN
1996624 - 100% of the cco-metrics/cco-metrics targets in openshift-cloud-credential-operator namespace are down
1996630 - Fail to delete the first Authorized SSH Key input box on Advanced page
1996647 - Provide more useful degraded message in auth operator on DNS errors
1996736 - Large number of 501 lr-policies in INCI2 env
1996886 - timedout waiting for flows during pod creation and ovn-controller pegged on worker nodes
1996916 - Special Resource Operator(SRO) - Fail to deploy simple-kmod on GCP
1996928 - Enable default operator indexes on ARM
1997028 - prometheus-operator update removes env var support for thanos-sidecar
1997059 - Failed to create cluster in AWS us-east-1 region due to a local zone is used
1997226 - Ingresscontroller reconcilations failing but not shown in operator logs or status of ingresscontroller.
1997245 - "Subscription already exists in openshift-storage namespace" error message is seen while installing odf-operator via UI
1997269 - Have to refresh console to install kube-descheduler
1997478 - Storage operator is not available after reboot cluster instances
1997509 - flake: [sig-cli] oc builds new-build [Skipped:Disconnected] [Suite:openshift/conformance/parallel]
1997967 - storageClass is not reserved from default wizard to customize wizard
1998035 - openstack IPI CI: custom var-lib-etcd.mount (ramdisk) unit is racing due to incomplete After/Before order
1998038 - [e2e][automation] add tests for UI for VM disk hot-plug
1998087 - Fix CephHealthCheck wrapping contents and add data-tests for HealthItem and SecondaryStatus
1998174 - Create storageclass gp3-csi after install ocp cluster on aws
1998183 - "r: Bad Gateway" info is improper
1998235 - Firefox warning: Cookie “csrf-token” will be soon rejected
1998377 - Filesystem table head is not full displayed in disk tab
1998378 - Virtual Machine is 'Not available' in Home -> Overview -> Cluster inventory
1998519 - Add fstype when create localvolumeset instance on web console
1998951 - Keepalived conf ingress peer on in Dual stack cluster contains both IPv6 and IPv4 addresses
1999076 - [UI] Page Not Found error when clicking on Storage link provided in Overview page
1999079 - creating pods before sriovnetworknodepolicy sync up succeed will cause node unschedulable
1999091 - Console update toast notification can appear multiple times
1999133 - removing and recreating static pod manifest leaves pod in error state
1999246 - .indexignore is not ingore when oc command load dc configuration
1999250 - ArgoCD in GitOps operator can't manage namespaces
1999255 - ovnkube-node always crashes out the first time it starts
1999261 - ovnkube-node log spam (and security token leak?)
1999309 - While installing odf-operator via UI, web console update pop-up navigates to OperatorHub -> Operator Installation page
1999314 - console-operator is slow to mark Degraded as False once console starts working
1999425 - kube-apiserver with "[SHOULD NOT HAPPEN] failed to update managedFields" err="failed to convert new object (machine.openshift.io/v1beta1, Kind=MachineHealthCheck)
1999556 - "master" pool should be updated before the CVO reports available at the new version occurred
1999578 - AWS EFS CSI tests are constantly failing
1999603 - Memory Manager allows Guaranteed QoS Pod with hugepages requested is exactly equal to the left over Hugepages
1999619 - cloudinit is malformatted if a user sets a password during VM creation flow
1999621 - Empty ssh_authorized_keys entry is added to VM's cloudinit if created from a customize flow
1999649 - MetalLB: Only one type of IP address can be assigned to service on dual stack cluster from a address pool that have both IPv4 and IPv6 addresses defined
1999668 - openshift-install destroy cluster panic's when given invalid credentials to cloud provider (Azure Stack Hub)
1999734 - IBM Cloud CIS Instance CRN missing in infrastructure manifest/resource
1999771 - revert "force cert rotation every couple days for development" in 4.10
1999784 - CVE-2021-3749 nodejs-axios: Regular expression denial of service in trim function
1999796 - Openshift Console Helm tab is not showing helm releases in a namespace when there is high number of deployments in the same namespace.
1999836 - Admin web-console inconsistent status summary of sparse ClusterOperator conditions
1999903 - Click "This is a CD-ROM boot source" ticking "Use template size PVC" on pvc upload form
1999983 - No way to clear upload error from template boot source
2000081 - [IPI baremetal] The metal3 pod failed to restart when switching from Disabled to Managed provisioning without specifying provisioningInterface parameter
2000096 - Git URL is not re-validated on edit build-config form reload
2000216 - Successfully imported ImageStreams are not resolved in DeploymentConfig
2000236 - Confusing usage message from dynkeepalived CLI
2000268 - Mark cluster unupgradable if vcenter, esxi versions or HW versions are unsupported
2000430 - bump cluster-api-provider-ovirt version in installer
2000450 - 4.10: Enable static PV multi-az test
2000490 - All critical alerts shipped by CMO should have links to a runbook
2000521 - Kube-apiserver CO degraded due to failed conditional check (ConfigObservationDegraded)
2000573 - Incorrect StorageCluster CR created and ODF cluster getting installed with 2 Zone OCP cluster
2000628 - ibm-flashsystem-storage-storagesystem got created without any warning even when the attempt was cancelled
2000651 - ImageStreamTag alias results in wrong tag and invalid link in Web Console
2000754 - IPerf2 tests should be lower
2000846 - Structure logs in the entire codebase of Local Storage Operator
2000872 - [tracker] container is not able to list on some directories within the nfs after upgrade to 4.7.24
2000877 - OCP ignores STOPSIGNAL in Dockerfile and sends SIGTERM
2000938 - CVO does not respect changes to a Deployment strategy
2000963 - 'Inline-volume (default fs)] volumes should store data' tests are failing on OKD with updated selinux-policy
2001008 - [MachineSets] CloneMode defaults to linkedClone, but I don't have snapshot and should be fullClone
2001240 - Remove response headers for downloads of binaries from OpenShift WebConsole
2001295 - Remove openshift:kubevirt-machine-controllers decleration from machine-api
2001317 - OCP Platform Quota Check - Inaccurate MissingQuota error
2001337 - Details Card in ODF Dashboard mentions OCS
2001339 - fix text content hotplug
2001413 - [e2e][automation] add/delete nic and disk to template
2001441 - Test: oc adm must-gather runs successfully for audit logs - fail due to startup log
2001442 - Empty termination.log file for the kube-apiserver has too permissive mode
2001479 - IBM Cloud DNS unable to create/update records
2001566 - Enable alerts for prometheus operator in UWM
2001575 - Clicking on the perspective switcher shows a white page with loader
2001577 - Quick search placeholder is not displayed properly when the search string is removed
2001578 - [e2e][automation] add tests for vm dashboard tab
2001605 - PVs remain in Released state for a long time after the claim is deleted
2001617 - BucketClass Creation is restricted on 1st page but enabled using side navigation options
2001620 - Cluster becomes degraded if it can't talk to Manila
2001760 - While creating 'Backing Store', 'Bucket Class', 'Namespace Store' user is navigated to 'Installed Operators' page after clicking on ODF
2001761 - Unable to apply cluster operator storage for SNO on GCP platform.
2001765 - Some error message in the log of diskmaker-manager caused confusion
2001784 - show loading page before final results instead of showing a transient message No log files exist
2001804 - Reload feature on Environment section in Build Config form does not work properly
2001810 - cluster admin unable to view BuildConfigs in all namespaces
2001817 - Failed to load RoleBindings list that will lead to ‘Role name’ is not able to be selected on Create RoleBinding page as well
2001823 - OCM controller must update operator status
2001825 - [SNO]ingress/authentication clusteroperator degraded when enable ccm from start
2001835 - Could not select image tag version when create app from dev console
2001855 - Add capacity is disabled for ocs-storagecluster
2001856 - Repeating event: MissingVersion no image found for operand pod
2001959 - Side nav list borders don't extend to edges of container
2002007 - Layout issue on "Something went wrong" page
2002010 - ovn-kube may never attempt to retry a pod creation
2002012 - Cannot change volume mode when cloning a VM from a template
2002027 - Two instances of Dotnet helm chart show as one in topology
2002075 - opm render does not automatically pulling in the image(s) used in the deployments
2002121 - [OVN] upgrades failed for IPI OSP16 OVN IPSec cluster
2002125 - Network policy details page heading should be updated to Network Policy details
2002133 - [e2e][automation] add support/virtualization and improve deleteResource
2002134 - [e2e][automation] add test to verify vm details tab
2002215 - Multipath day1 not working on s390x
2002238 - Image stream tag is not persisted when switching from yaml to form editor
2002262 - [vSphere] Incorrect user agent in vCenter sessions list
2002266 - SinkBinding create form doesn't allow to use subject name, instead of label selector
2002276 - OLM fails to upgrade operators immediately
2002300 - Altering the Schedule Profile configurations doesn't affect the placement of the pods
2002354 - Missing DU configuration "Done" status reporting during ZTP flow
2002362 - Dynamic Plugin - ConsoleRemotePlugin for webpack doesn't use commonjs
2002368 - samples should not go degraded when image allowedRegistries blocks imagestream creation
2002372 - Pod creation failed due to mismatched pod IP address in CNI and OVN
2002397 - Resources search is inconsistent
2002434 - CRI-O leaks some children PIDs
2002443 - Getting undefined error on create local volume set page
2002461 - DNS operator performs spurious updates in response to API's defaulting of service's internalTrafficPolicy
2002504 - When the openshift-cluster-storage-operator is degraded because of "VSphereProblemDetectorController_SyncError", the insights operator is not sending the logs from all pods.
2002559 - User preference for topology list view does not follow when a new namespace is created
2002567 - Upstream SR-IOV worker doc has broken links
2002588 - Change text to be sentence case to align with PF
2002657 - ovn-kube egress IP monitoring is using a random port over the node network
2002713 - CNO: OVN logs should have millisecond resolution
2002748 - [ICNI2] 'ErrorAddingLogicalPort' failed to handle external GW check: timeout waiting for namespace event
2002759 - Custom profile should not allow not including at least one required HTTP2 ciphersuite
2002763 - Two storage systems getting created with external mode RHCS
2002808 - KCM does not use web identity credentials
2002834 - Cluster-version operator does not remove unrecognized volume mounts
2002896 - Incorrect result return when user filter data by name on search page
2002950 - Why spec.containers.command is not created with "oc create deploymentconfig Create VM missing permissions alert
2034285 - [sig-api-machinery] API data in etcd should be stored at the correct location and version for all resources [Serial] [Suite:openshift/conformance/serial]
2034287 - do not block upgrades if we can't create storageclass in 4.10 in vsphere
2034300 - Du validator policy is NonCompliant after DU configuration completed
2034319 - Negation constraint is not validating packages
2034322 - CNO doesn't pick up settings required when ExternalControlPlane topology
2034350 - The CNO should implement the Whereabouts IP reconciliation cron job
2034362 - update description of disk interface
2034398 - The Whereabouts IPPools CRD should include the podref field
2034409 - Default CatalogSources should be pointing to 4.10 index images
2034410 - Metallb BGP, BFD: prometheus is not scraping the frr metrics
2034413 - cloud-network-config-controller fails to init with secret "cloud-credentials" not found in manual credential mode
2034460 - Summary: cloud-network-config-controller does not account for different environment
2034474 - Template's boot source is "Unknown source" before and after set enableCommonBootImageImport to true
2034477 - [OVN] Multiple EgressIP objects configured, EgressIPs weren't working properly
2034493 - Change cluster version operator log level
2034513 - [OVN] After update one EgressIP in EgressIP object, one internal IP lost from lr-policy-list
2034527 - IPI deployment fails 'timeout reached while inspecting the node' when provisioning network ipv6
2034528 - [IBM VPC] volumeBindingMode should be WaitForFirstConsumer
2034534 - Update ose-machine-api-provider-openstack images to be consistent with ART
2034537 - Update team
2034559 - KubeAPIErrorBudgetBurn firing outside recommended latency thresholds
2034563 - [Azure] create machine with wrong ephemeralStorageLocation value success
2034577 - Current OVN gateway mode should be reflected on node annotation as well
2034621 - context menu not popping up for application group
2034622 - Allow volume expansion by default in vsphere CSI storageclass 4.10
2034624 - Warn about unsupported CSI driver in vsphere operator
2034647 - missing volumes list in snapshot modal
2034648 - Rebase openshift-controller-manager to 1.23
2034650 - Rebase openshift/builder to 1.23
2034705 - vSphere: storage e2e tests logging configuration data
2034743 - EgressIP: assigning the same egress IP to a second EgressIP object after a ovnkube-master restart does not fail.
2034766 - Special Resource Operator(SRO) - no cert-manager pod created in dual stack environment
2034785 - ptpconfig with summary_interval cannot be applied
2034823 - RHEL9 should be starred in template list
2034838 - An external router can inject routes if no service is added
2034839 - Jenkins sync plugin does not synchronize ConfigMap having label role=jenkins-agent
2034879 - Lifecycle hook's name and owner shouldn't be allowed to be empty
2034881 - Cloud providers components should use K8s 1.23 dependencies
2034884 - ART cannot build the image because it tries to download controller-gen
2034889 - oc adm prune deployments does not work
2034898 - Regression in recently added Events feature
2034957 - update openshift-apiserver to kube 1.23.1
2035015 - ClusterLogForwarding CR remains stuck remediating forever
2035093 - openshift-cloud-network-config-controller never runs on Hypershift cluster
2035141 - [RFE] Show GPU/Host devices in template's details tab
2035146 - "kubevirt-plugin~PVC cannot be empty" shows on add-disk modal while adding existing PVC
2035167 - [cloud-network-config-controller] unable to deleted cloudprivateipconfig when deleting
2035199 - IPv6 support in mtu-migration-dispatcher.yaml
2035239 - e2e-metal-ipi-virtualmedia tests are permanently failing
2035250 - Peering with ebgp peer over multi-hops doesn't work
2035264 - [RFE] Provide a proper message for nonpriv user who not able to add PCI devices
2035315 - invalid test cases for AWS passthrough mode
2035318 - Upgrade management workflow needs to allow custom upgrade graph path for disconnected env
2035321 - Add Sprint 211 translations
2035326 - [ExternalCloudProvider] installation with additional network on workers fails
2035328 - Ccoctl does not ignore credentials request manifest marked for deletion
2035333 - Kuryr orphans ports on 504 errors from Neutron
2035348 - Fix two grammar issues in kubevirt-plugin.json strings
2035393 - oc set data --dry-run=server makes persistent changes to configmaps and secrets
2035409 - OLM E2E test depends on operator package that's no longer published
2035439 - SDN Automatic assignment EgressIP on GCP returned node IP adress not egressIP address
2035453 - [IPI on Alibabacloud] 2 worker machines stuck in Failed phase due to connection to 'ecs-cn-hangzhou.aliyuncs.com' timeout, although the specified region is 'us-east-1'
2035454 - [IPI on Alibabacloud] the OSS bucket created during installation for image registry is not deleted after destroying the cluster
2035467 - UI: Queried metrics can't be ordered on Oberve->Metrics page
2035494 - [SDN Migration]ovnkube-node pods CrashLoopBackOff after sdn migrated to ovn for RHEL workers
2035515 - [IBMCLOUD] allowVolumeExpansion should be true in storage class
2035602 - [e2e][automation] add tests for Virtualization Overview page cards
2035703 - Roles -> RoleBindings tab doesn't show RoleBindings correctly
2035704 - RoleBindings list page filter doesn't apply
2035705 - Azure 'Destroy cluster' get stuck when the cluster resource group is already not existing.
2035757 - [IPI on Alibabacloud] one master node turned NotReady which leads to installation failed
2035772 - AccessMode and VolumeMode is not reserved for customize wizard
2035847 - Two dashes in the Cronjob / Job pod name
2035859 - the output of opm render doesn't contain olm.constraint which is defined in dependencies.yaml
2035882 - [BIOS setting values] Create events for all invalid settings in spec
2035903 - One redundant capi-operator credential requests in “oc adm extract --credentials-requests”
2035910 - [UI] Manual approval options are missing after ODF 4.10 installation starts when Manual Update approval is chosen
2035927 - Cannot enable HighNodeUtilization scheduler profile
2035933 - volume mode and access mode are empty in customize wizard review tab
2035969 - "ip a " shows "Error: Peer netns reference is invalid" after create test pods
2035986 - Some pods under kube-scheduler/kube-controller-manager are using the deprecated annotation
2036006 - [BIOS setting values] Attempt to set Integer parameter results in preparation error
2036029 - New added cloud-network-config operator doesn’t supported aws sts format credential
2036096 - [azure-file-csi-driver] there are no e2e tests for NFS backend
2036113 - cluster scaling new nodes ovs-configuration fails on all new nodes
2036567 - [csi-driver-nfs] Upstream merge: Bump k8s libraries to 1.23
2036569 - [cloud-provider-openstack] Upstream merge: Bump k8s libraries to 1.23
2036577 - OCP 4.10 nightly builds from 4.10.0-0.nightly-s390x-2021-12-18-034912 to 4.10.0-0.nightly-s390x-2022-01-11-233015 fail to upgrade from OCP 4.9.11 and 4.9.12 for network type OVNKubernetes for zVM hypervisor environments
2036622 - sdn-controller crashes when restarted while a previous egress IP assignment exists
2036717 - Valid AlertmanagerConfig custom resource with valid a mute time interval definition is rejected
2036826 - oc adm prune deployments can prune the RC/RS
2036827 - The ccoctl still accepts CredentialsRequests without ServiceAccounts on GCP platform
2036861 - kube-apiserver is degraded while enable multitenant
2036937 - Command line tools page shows wrong download ODO link
2036940 - oc registry login fails if the file is empty or stdout
2036951 - [cluster-csi-snapshot-controller-operator] proxy settings is being injected in container
2036989 - Route URL copy to clipboard button wraps to a separate line by itself
2036990 - ZTP "DU Done inform policy" never becomes compliant on multi-node clusters
2036993 - Machine API components should use Go lang version 1.17
2037036 - The tuned profile goes into degraded status and ksm.service is displayed in the log.
2037061 - aws and gcp CredentialsRequest manifests missing ServiceAccountNames list for cluster-api
2037073 - Alertmanager container fails to start because of startup probe never being successful
2037075 - Builds do not support CSI volumes
2037167 - Some log level in ibm-vpc-block-csi-controller are hard code
2037168 - IBM-specific Deployment manifest for package-server-manager should be excluded on non-IBM cluster-profiles
2037182 - PingSource badge color is not matched with knativeEventing color
2037203 - "Running VMs" card is too small in Virtualization Overview
2037209 - [IPI on Alibabacloud] worker nodes are put in the default resource group unexpectedly
2037237 - Add "This is a CD-ROM boot source" to customize wizard
2037241 - default TTL for noobaa cache buckets should be 0
2037246 - Cannot customize auto-update boot source
2037276 - [IBMCLOUD] vpc-node-label-updater may fail to label nodes appropriately
2037288 - Remove stale image reference
2037331 - Ensure the ccoctl behaviors are similar between aws and gcp on the existing resources
2037483 - Rbacs for Pods within the CBO should be more restrictive
2037484 - Bump dependencies to k8s 1.23
2037554 - Mismatched wave number error message should include the wave numbers that are in conflict
2037622 - [4.10-Alibaba CSI driver][Restore size for volumesnapshot/volumesnapshotcontent is showing as 0 in Snapshot feature for Alibaba platform]
2037635 - impossible to configure custom certs for default console route in ingress config
2037637 - configure custom certificate for default console route doesn't take effect for OCP >= 4.8
2037638 - Builds do not support CSI volumes as volume sources
2037664 - text formatting issue in Installed Operators list table
2037680 - [IPI on Alibabacloud] sometimes operator 'cloud-controller-manager' tells empty VERSION, due to conflicts on listening tcp :8080
2037689 - [IPI on Alibabacloud] sometimes operator 'cloud-controller-manager' tells empty VERSION, due to conflicts on listening tcp :8080
2037801 - Serverless installation is failing on CI jobs for e2e tests
2037813 - Metal Day 1 Networking - networkConfig Field Only Accepts String Format
2037856 - use lease for leader election
2037891 - 403 Forbidden error shows for all the graphs in each grafana dashboard after upgrade from 4.9 to 4.10
2037903 - Alibaba Cloud: delete-ram-user requires the credentials-requests
2037904 - upgrade operator deployment failed due to memory limit too low for manager container
2038021 - [4.10-Alibaba CSI driver][Default volumesnapshot class is not added/present after successful cluster installation]
2038034 - non-privileged user cannot see auto-update boot source
2038053 - Bump dependencies to k8s 1.23
2038088 - Remove ipa-downloader references
2038160 - The default project missed the annotation : openshift.io/node-selector: ""
2038166 - Starting from Go 1.17 invalid certificates will render a cluster non-functional
2038196 - must-gather is missing collecting some metal3 resources
2038240 - Error when configuring a file using permissions bigger than decimal 511 (octal 0777)
2038253 - Validator Policies are long lived
2038272 - Failures to build a PreprovisioningImage are not reported
2038384 - Azure Default Instance Types are Incorrect
2038389 - Failing test: [sig-arch] events should not repeat pathologically
2038412 - Import page calls the git file list unnecessarily twice from GitHub/GitLab/Bitbucket
2038465 - Upgrade chromedriver to 90.x to support Mac M1 chips
2038481 - kube-controller-manager-guard and openshift-kube-scheduler-guard pods being deleted and restarted on a cordoned node when drained
2038596 - Auto egressIP for OVN cluster on GCP: After egressIP object is deleted, egressIP still takes effect
2038663 - update kubevirt-plugin OWNERS
2038691 - [AUTH-8] Panic on user login when the user belongs to a group in the IdP side and the group already exists via "oc adm groups new"
2038705 - Update ptp reviewers
2038761 - Open Observe->Targets page, wait for a while, page become blank
2038768 - All the filters on the Observe->Targets page can't work
2038772 - Some monitors failed to display on Observe->Targets page
2038793 - [SDN EgressIP] After reboot egress node, the egressip was lost from egress node
2038827 - should add user containers in /etc/subuid and /etc/subgid to support run pods in user namespaces
2038832 - New templates for centos stream8 are missing registry suggestions in create vm wizard
2038840 - [SDN EgressIP]cloud-network-config-controller pod was CrashLoopBackOff after some operation
2038864 - E2E tests fail because multi-hop-net was not created
2038879 - All Builds are getting listed in DeploymentConfig under workloads on OpenShift Console
2038934 - CSI driver operators should use the trusted CA bundle when cluster proxy is configured
2038968 - Move feature gates from a carry patch to openshift/api
2039056 - Layout issue with breadcrumbs on API explorer page
2039057 - Kind column is not wide enough in API explorer page
2039064 - Bulk Import e2e test flaking at a high rate
2039065 - Diagnose and fix Bulk Import e2e test that was previously disabled
2039085 - Cloud credential operator configuration failing to apply in hypershift/ROKS clusters
2039099 - [OVN EgressIP GCP] After reboot egress node, egressip that was previously assigned got lost
2039109 - [FJ OCP4.10 Bug]: startironic.sh failed to pull the image of image-customization container when behind a proxy
2039119 - CVO hotloops on Service openshift-monitoring/cluster-monitoring-operator
2039170 - [upgrade]Error shown on registry operator "missing the cloud-provider-config configmap" after upgrade
2039227 - Improve image customization server parameter passing during installation
2039241 - Improve image customization server parameter passing during installation
2039244 - Helm Release revision history page crashes the UI
2039294 - SDN controller metrics cannot be consumed correctly by prometheus
2039311 - oc Does Not Describe Build CSI Volumes
2039315 - Helm release list page should only fetch secrets for deployed charts
2039321 - SDN controller metrics are not being consumed by prometheus
2039330 - Create NMState button doesn't work in OperatorHub web console
2039339 - cluster-ingress-operator should report Unupgradeable if user has modified the aws resources annotations
2039345 - CNO does not verify the minimum MTU value for IPv6/dual-stack clusters.
2039359 - oc adm prune deployments can't prune the RS where the associated Deployment no longer exists
2039382 - gather_metallb_logs does not have execution permission
2039406 - logout from rest session after vsphere operator sync is finished
2039408 - Add GCP region northamerica-northeast2 to allowed regions
2039414 - Cannot see the weights increased for NodeAffinity, InterPodAffinity, TaintandToleration
2039425 - No need to set KlusterletAddonConfig CR applicationManager->enabled: true in RAN ztp deployment
2039491 - oc - git:// protocol used in unit tests
2039516 - Bump OVN to ovn21.12-21.12.0-25
2039529 - Project Dashboard Resource Quotas Card empty state test flaking at a high rate
2039534 - Diagnose and fix Project Dashboard Resource Quotas Card test that was previously disabled
2039541 - Resolv-prepender script duplicating entries
2039586 - [e2e] update centos8 to centos stream8
2039618 - VM created from SAP HANA template leads to 404 page if leave one network parameter empty
2039619 - [AWS] In tree provisioner storageclass aws disk type should contain 'gp3' and csi provisioner storageclass default aws disk type should be 'gp3'
2039670 - Create PDBs for control plane components
2039678 - Page goes blank when create image pull secret
2039689 - [IPI on Alibabacloud] Pay-by-specification NAT is no longer supported
2039743 - React missing key warning when open operator hub detail page (and maybe others as well)
2039756 - React missing key warning when open KnativeServing details
2039770 - Observe dashboard doesn't react on time-range changes after browser reload when perspective is changed in another tab
2039776 - Observe dashboard shows nothing if the URL links to an non existing dashboard
2039781 - [GSS] OBC is not visible by admin of a Project on Console
2039798 - Contextual binding with Operator backed service creates visual connector instead of Service binding connector
2039868 - Insights Advisor widget is not in the disabled state when the Insights Operator is disabled
2039880 - Log level too low for control plane metrics
2039919 - Add E2E test for router compression feature
2039981 - ZTP for standard clusters installs stalld on master nodes
2040132 - Flag --port has been deprecated, This flag has no effect now and will be removed in v1.24. You can use --secure-port instead
2040136 - external-dns-operator pod keeps restarting and reports error: timed out waiting for cache to be synced
2040143 - [IPI on Alibabacloud] suggest to remove region "cn-nanjing" or provide better error message
2040150 - Update ConfigMap keys for IBM HPCS
2040160 - [IPI on Alibabacloud] installation fails when region does not support pay-by-bandwidth
2040285 - Bump build-machinery-go for console-operator to pickup change in yaml-patch repository
2040357 - bump OVN to ovn-2021-21.12.0-11.el8fdp
2040376 - "unknown instance type" error for supported m6i.xlarge instance
2040394 - Controller: enqueue the failed configmap till services update
2040467 - Cannot build ztp-site-generator container image
2040504 - Change AWS EBS GP3 IOPS in MachineSet doesn't take affect in OpenShift 4
2040521 - RouterCertsDegraded certificate could not validate route hostname v4-0-config-system-custom-router-certs.apps
2040535 - Auto-update boot source is not available in customize wizard
2040540 - ovs hardware offload: ovsargs format error when adding vf netdev name
2040603 - rhel worker scaleup playbook failed because missing some dependency of podman
2040616 - rolebindings page doesn't load for normal users
2040620 - [MAPO] Error pulling MAPO image on installation
2040653 - Topology sidebar warns that another component is updated while rendering
2040655 - User settings update fails when selecting application in topology sidebar
2040661 - Different react warnings about updating state on unmounted components when leaving topology
2040670 - Permafailing CI job: periodic-ci-openshift-release-master-nightly-4.10-e2e-gcp-libvirt-cert-rotation
2040671 - [Feature:IPv6DualStack] most tests are failing in dualstack ipi
2040694 - Three upstream HTTPClientConfig struct fields missing in the operator
2040705 - Du policy for standard cluster runs the PTP daemon on masters and workers
2040710 - cluster-baremetal-operator cannot update BMC subscription CR
2040741 - Add CI test(s) to ensure that metal3 components are deployed in vSphere, OpenStack and None platforms
2040782 - Import YAML page blocks input with more then one generateName attribute
2040783 - The Import from YAML summary page doesn't show the resource name if created via generateName attribute
2040791 - Default PGT policies must be 'inform' to integrate with the Lifecycle Operator
2040793 - Fix snapshot e2e failures
2040880 - do not block upgrades if we can't connect to vcenter
2041087 - MetalLB: MetalLB CR is not upgraded automatically from 4.9 to 4.10
2041093 - autounattend.xml missing
2041204 - link to templates in virtualization-cluster-overview inventory card is to all templates
2041319 - [IPI on Alibabacloud] installation in region "cn-shanghai" failed, due to "Resource alicloud_vswitch CreateVSwitch Failed...InvalidCidrBlock.Overlapped"
2041326 - Should bump cluster-kube-descheduler-operator to kubernetes version V1.23
2041329 - aws and gcp CredentialsRequest manifests missing ServiceAccountNames list for cloud-network-config-controller
2041361 - [IPI on Alibabacloud] Disable session persistence and removebBandwidth peak of listener
2041441 - Provision volume with size 3000Gi even if sizeRange: '[10-2000]GiB' in storageclass on IBM cloud
2041466 - Kubedescheduler version is missing from the operator logs
2041475 - React components should have a (mostly) unique name in react dev tools to simplify code analyses
2041483 - MetallB: quay.io/openshift/origin-kube-rbac-proxy:4.10 deploy Metallb CR is missing (controller and speaker pods)
2041492 - Spacing between resources in inventory card is too small
2041509 - GCP Cloud provider components should use K8s 1.23 dependencies
2041510 - cluster-baremetal-operator doesn't run baremetal-operator's subscription webhook
2041541 - audit: ManagedFields are dropped using API not annotation
2041546 - ovnkube: set election timer at RAFT cluster creation time
2041554 - use lease for leader election
2041581 - KubeDescheduler operator log shows "Use of insecure cipher detected"
2041583 - etcd and api server cpu mask interferes with a guaranteed workload
2041598 - Including CA bundle in Azure Stack cloud config causes MCO failure
2041605 - Dynamic Plugins: discrepancy in proxy alias documentation/implementation
2041620 - bundle CSV alm-examples does not parse
2041641 - Fix inotify leak and kubelet retaining memory
2041671 - Delete templates leads to 404 page
2041694 - [IPI on Alibabacloud] installation fails when region does not support the cloud_essd disk category
2041734 - ovs hwol: VFs are unbind when switchdev mode is enabled
2041750 - [IPI on Alibabacloud] trying "create install-config" with region "cn-wulanchabu (China (Ulanqab))" (or "ap-southeast-6 (Philippines (Manila))", "cn-guangzhou (China (Guangzhou))") failed due to invalid endpoint
2041763 - The Observe > Alerting pages no longer have their default sort order applied
2041830 - CI: ovn-kubernetes-master-e2e-aws-ovn-windows is broken
2041854 - Communities / Local prefs are applied to all the services regardless of the pool, and only one community is applied
2041882 - cloud-network-config operator can't work normal on GCP workload identity cluster
2041888 - Intermittent incorrect build to run correlation, leading to run status updates applied to wrong build, builds stuck in non-terminal phases
2041926 - [IPI on Alibabacloud] Installer ignores public zone when it does not exist
2041971 - [vsphere] Reconciliation of mutating webhooks didn't happen
2041989 - CredentialsRequest manifests being installed for ibm-cloud-managed profile
2041999 - [PROXY] external dns pod cannot recognize custom proxy CA
2042001 - unexpectedly found multiple load balancers
2042029 - kubedescheduler fails to install completely
2042036 - [IBMCLOUD] "openshift-install explain installconfig.platform.ibmcloud" contains not yet supported custom vpc parameters
2042049 - Seeing warning related to unrecognized feature gate in kubescheduler & KCM logs
2042059 - update discovery burst to reflect lots of CRDs on openshift clusters
2042069 - Revert toolbox to rhcos-toolbox
2042169 - Can not delete egressnetworkpolicy in Foreground propagation
2042181 - MetalLB: User should not be allowed add same bgp advertisement twice in BGP address pool
2042265 - [IBM]"--scale-down-utilization-threshold" doesn't work on IBMCloud
2042274 - Storage API should be used when creating a PVC
2042315 - Baremetal IPI deployment with IPv6 control plane and disabled provisioning network fails as the nodes do not pass introspection
2042366 - Lifecycle hooks should be independently managed
2042370 - [IPI on Alibabacloud] installer panics when the zone does not have an enhanced NAT gateway
2042382 - [e2e][automation] CI takes more then 2 hours to run
2042395 - Add prerequisites for active health checks test
2042438 - Missing rpms in openstack-installer image
2042466 - Selection does not happen when switching from Topology Graph to List View
2042493 - No way to verify if IPs with leading zeros are still valid in the apiserver
2042567 - insufficient info on CodeReady Containers configuration
2042600 - Alone, the io.kubernetes.cri-o.Devices option poses a security risk
2042619 - Overview page of the console is broken for hypershift clusters
2042655 - [IPI on Alibabacloud] cluster becomes unusable if there is only one kube-apiserver pod running
2042711 - [IBMCloud] Machine Deletion Hook cannot work on IBMCloud
2042715 - [AliCloud] Machine Deletion Hook cannot work on AliCloud
2042770 - [IPI on Alibabacloud] with vpcID & vswitchIDs specified, the installer would still try creating NAT gateway unexpectedly
2042829 - Topology performance: HPA was fetched for each Deployment (Pod Ring)
2042851 - Create template from SAP HANA template flow - VM is created instead of a new template
2042906 - Edit machineset with same machine deletion hook name succeed
2042960 - azure-file CI fails with "gid(0) in storageClass and pod fsgroup(1000) are not equal"
2043003 - [IPI on Alibabacloud] 'destroy cluster' of a failed installation (bug2041694) stuck after 'stage=Nat gateways'
2043042 - [Serial] [sig-auth][Feature:OAuthServer] [RequestHeaders] [IdP] test RequestHeaders IdP [Suite:openshift/conformance/serial]
2043043 - Cluster Autoscaler should use K8s 1.23 dependencies
2043064 - Topology performance: Unnecessary rerenderings in topology nodes (unchanged mobx props)
2043078 - Favorite system projects not visible in the project selector after toggling "Show default projects".
2043117 - Recommended operators links are erroneously treated as external
2043130 - Update CSI sidecars to the latest release for 4.10
2043234 - Missing validation when creating several BGPPeers with the same peerAddress
2043240 - Sync openshift/descheduler with sigs.k8s.io/descheduler
2043254 - crio does not bind the security profiles directory
2043296 - Ignition fails when reusing existing statically-keyed LUKS volume
2043297 - [4.10] Bootimage bump tracker
2043316 - RHCOS VM fails to boot on Nutanix AOS
2043446 - Rebase aws-efs-utils to the latest upstream version.
2043556 - Add proper ci-operator configuration to ironic and ironic-agent images
2043577 - DPU network operator
2043651 - Fix bug with exp. backoff working correcly when setting nextCheck in vsphere operator
2043675 - Too many machines deleted by cluster autoscaler when scaling down
2043683 - Revert bug 2039344 Ignoring IPv6 addresses against etcd cert validation
2043709 - Logging flags no longer being bound to command line
2043721 - Installer bootstrap hosts using outdated kubelet containing bugs
2043731 - [IBMCloud] terraform outputs missing for ibmcloud bootstrap and worker ips for must-gather
2043759 - Bump cluster-ingress-operator to k8s.io/api 1.23
2043780 - Bump router to k8s.io/api 1.23
2043787 - Bump cluster-dns-operator to k8s.io/api 1.23
2043801 - Bump CoreDNS to k8s.io/api 1.23
2043802 - EgressIP stopped working after single egressIP for a netnamespace is switched to the other node of HA pair after the first egress node is shutdown
2043961 - [OVN-K] If pod creation fails, retry doesn't work as expected.
2044201 - Templates golden image parameters names should be supported
2044244 - Builds are failing after upgrading the cluster with builder image [jboss-webserver-5/jws56-openjdk8-openshift-rhel8]
2044248 - [IBMCloud][vpc.block.csi.ibm.io]Cluster common user use the storageclass without parameter “csi.storage.k8s.io/fstype” create pvc,pod successfully but write data to the pod's volume failed of "Permission denied"
2044303 - [ovn][cloud-network-config-controller] cloudprivateipconfigs ips were left after deleting egressip objects
2044347 - Bump to kubernetes 1.23.3
2044481 - collect sharedresource cluster scoped instances with must-gather
2044496 - Unable to create hardware events subscription - failed to add finalizers
2044628 - CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources
2044680 - Additional libovsdb performance and resource consumption fixes
2044704 - Observe > Alerting pages should not show runbook links in 4.10
2044717 - [e2e] improve tests for upstream test environment
2044724 - Remove namespace column on VM list page when a project is selected
2044745 - Upgrading cluster from 4.9 to 4.10 on Azure (ARO) causes the cloud-network-config-controller pod to CrashLoopBackOff
2044808 - machine-config-daemon-pull.service: use cp instead of cat when extracting MCD in OKD
2045024 - CustomNoUpgrade alerts should be ignored
2045112 - vsphere-problem-detector has missing rbac rules for leases
2045199 - SnapShot with Disk Hot-plug hangs
2045561 - Cluster Autoscaler should use the same default Group value as Cluster API
2045591 - Reconciliation of aws pod identity mutating webhook did not happen
2045849 - Add Sprint 212 translations
2045866 - MCO Operator pod spam "Error creating event" warning messages in 4.10
2045878 - Sync upstream 1.16.0 downstream; includes hybrid helm plugin
2045916 - [IBMCloud] Default machine profile in installer is unreliable
2045927 - [FJ OCP4.10 Bug]: Podman failed to pull the IPA image due to the loss of proxy environment
2046025 - [IPI on Alibabacloud] pre-configured alicloud DNS private zone is deleted after destroying cluster, please clarify
2046137 - oc output for unknown commands is not human readable
2046296 - When creating multiple consecutive egressIPs on GCP not all of them get assigned to the instance
2046297 - Bump DB reconnect timeout
2046517 - In Notification drawer, the "Recommendations" header shows when there isn't any recommendations
2046597 - Observe > Targets page may show the wrong service monitor is multiple monitors have the same namespace & label selectors
2046626 - Allow setting custom metrics for Ansible-based Operators
2046683 - [AliCloud]"--scale-down-utilization-threshold" doesn't work on AliCloud
2047025 - Installation fails because of Alibaba CSI driver operator is degraded
2047190 - Bump Alibaba CSI driver for 4.10
2047238 - When using communities and localpreferences together, only localpreference gets applied
2047255 - alibaba: resourceGroupID not found
2047258 - [aws-usgov] fatal error occurred if AMI is not provided for AWS GovCloud regions
2047317 - Update HELM OWNERS files under Dev Console
2047455 - [IBM Cloud] Update custom image os type
2047496 - Add image digest feature
2047779 - do not degrade cluster if storagepolicy creation fails
2047927 - 'oc get project' caused 'Observed a panic: cannot deep copy core.NamespacePhase' when AllRequestBodies is used
2047929 - use lease for leader election
2047975 - [sig-network][Feature:Router] The HAProxy router should override the route host for overridden domains with a custom value [Skipped:Disconnected] [Suite:openshift/conformance/parallel]
2048046 - New route annotation to show another URL or hide topology URL decorator doesn't work for Knative Services
2048048 - Application tab in User Preferences dropdown menus are too wide.
2048050 - Topology list view items are not highlighted on keyboard navigation
2048117 - [IBM]Shouldn't change status.storage.bucket and status.storage.resourceKeyCRN when update sepc.stroage,ibmcos with invalid value
2048413 - Bond CNI: Failed to attach Bond NAD to pod
2048443 - Image registry operator panics when finalizes config deletion
2048478 - [alicloud] CCM deploys alibaba-cloud-controller-manager from quay.io/openshift/origin-*
2048484 - SNO: cluster-policy-controller failed to start due to missing serving-cert/tls.crt
2048598 - Web terminal view is broken
2048836 - ovs-configure mis-detecting the ipv6 status on IPv4 only cluster causing Deployment failure
2048891 - Topology page is crashed
2049003 - 4.10: [IBMCloud] ibm-vpc-block-csi-node does not specify an update strategy, only resource requests, or priority class
2049043 - Cannot create VM from template
2049156 - 'oc get project' caused 'Observed a panic: cannot deep copy core.NamespacePhase' when AllRequestBodies is used
2049886 - Placeholder bug for OCP 4.10.0 metadata release
2049890 - Warning annotation for pods with cpu requests or limits on single-node OpenShift cluster without workload partitioning
2050189 - [aws-efs-csi-driver] Merge upstream changes since v1.3.2
2050190 - [aws-ebs-csi-driver] Merge upstream changes since v1.2.0
2050227 - Installation on PSI fails with: 'openstack platform does not have the required standard-attr-tag network extension'
2050247 - Failing test in periodics: [sig-network] Services should respect internalTrafficPolicy=Local Pod and Node, to Pod (hostNetwork: true) [Feature:ServiceInternalTrafficPolicy] [Skipped:Network/OVNKubernetes] [Suite:openshift/conformance/parallel] [Suite:k8s]
2050250 - Install fails to bootstrap, complaining about DefragControllerDegraded and sad members
2050310 - ContainerCreateError when trying to launch large (>500) numbers of pods across nodes
2050370 - alert data for burn budget needs to be updated to prevent regression
2050393 - ZTP missing support for local image registry and custom machine config
2050557 - Can not push images to image-registry when enabling KMS encryption in AlibabaCloud
2050737 - Remove metrics and events for master port offsets
2050801 - Vsphere upi tries to access vsphere during manifests generation phase
2050883 - Logger object in LSO does not log source location accurately
2051692 - co/image-registry is degrade because ImagePrunerDegraded: Job has reached the specified backoff limit
2052062 - Whereabouts should implement client-go 1.22+
2052125 - [4.10] Crio appears to be coredumping in some scenarios
2052210 - [aws-c2s] kube-apiserver crashloops due to missing cloud config
2052339 - Failing webhooks will block an upgrade to 4.10 mid-way through the upgrade.
2052458 - [IBM Cloud] ibm-vpc-block-csi-controller does not specify an update strategy, priority class, or only resource requests
2052598 - kube-scheduler should use configmap lease
2052599 - kube-controller-manger should use configmap lease
2052600 - Failed to scaleup RHEL machine against OVN cluster due to jq tool is required by configure-ovs.sh
2052609 - [vSphere CSI driver Operator] RWX volumes counts metrics vsphere_rwx_volumes_total not valid
2052611 - MetalLB: BGPPeer object does not have ability to set ebgpMultiHop
2052612 - MetalLB: Webhook Validation: Two BGPPeers instances can have different router ID set.
2052644 - Infinite OAuth redirect loop post-upgrade to 4.10.0-rc.1
2052666 - [4.10.z] change gitmodules to rhcos-4.10 branch
2052756 - [4.10] PVs are not being cleaned up after PVC deletion
2053175 - oc adm catalog mirror throws 'missing signature key' error when using file://local/index
2053218 - ImagePull fails with error "unable to pull manifest from example.com/busy.box:v5 invalid reference format"
2053252 - Sidepanel for Connectors/workloads in topology shows invalid tabs
2053268 - inability to detect static lifecycle failure
2053314 - requestheader IDP test doesn't wait for cleanup, causing high failure rates
2053323 - OpenShift-Ansible BYOH Unit Tests are Broken
2053339 - Remove dev preview badge from IBM FlashSystem deployment windows
2053751 - ztp-site-generate container is missing convenience entrypoint
2053945 - [4.10] Failed to apply sriov policy on intel nics
2054109 - Missing "app" label
2054154 - RoleBinding in project without subject is causing "Project access" page to fail
2054244 - Latest pipeline run should be listed on the top of the pipeline run list
2054288 - console-master-e2e-gcp-console is broken
2054562 - DPU network operator 4.10 branch need to sync with master
2054897 - Unable to deploy hw-event-proxy operator
2055193 - e2e-metal-ipi-serial-ovn-ipv6 is failing frequently
2055358 - Summary Interval Hardcoded in PTP Operator if Set in the Global Body Instead of Command Line
2055371 - Remove Check which enforces summary_interval must match logSyncInterval
2055689 - [ibm]Operator storage PROGRESSING and DEGRADED is true during fresh install for ocp4.11
2055894 - CCO mint mode will not work for Azure after sunsetting of Active Directory Graph API
2056441 - AWS EFS CSI driver should use the trusted CA bundle when cluster proxy is configured
2056479 - ovirt-csi-driver-node pods are crashing intermittently
2056572 - reconcilePrecaching error: cannot list resource "clusterserviceversions" in API group "operators.coreos.com" at the cluster scope"
2056629 - [4.10] EFS CSI driver can't unmount volumes with "wait: no child processes"
2056878 - (dummy bug) ovn-kubernetes ExternalTrafficPolicy still SNATs
2056928 - Ingresscontroller LB scope change behaviour differs for different values of aws-load-balancer-internal annotation
2056948 - post 1.23 rebase: regression in service-load balancer reliability
2057438 - Service Level Agreement (SLA) always show 'Unknown'
2057721 - Fix Proxy support in RHACM 2.4.2
2057724 - Image creation fails when NMstateConfig CR is empty
2058641 - [4.10] Pod density test causing problems when using kube-burner
2059761 - 4.9.23-s390x-machine-os-content manifest invalid when mirroring content for disconnected install
2060610 - Broken access to public images: Unable to connect to the server: no basic auth credentials
2060956 - service domain can't be resolved when networkpolicy is used in OCP 4.10-rc
- References:
https://access.redhat.com/security/cve/CVE-2014-3577 https://access.redhat.com/security/cve/CVE-2016-10228 https://access.redhat.com/security/cve/CVE-2017-14502 https://access.redhat.com/security/cve/CVE-2018-20843 https://access.redhat.com/security/cve/CVE-2018-1000858 https://access.redhat.com/security/cve/CVE-2019-8625 https://access.redhat.com/security/cve/CVE-2019-8710 https://access.redhat.com/security/cve/CVE-2019-8720 https://access.redhat.com/security/cve/CVE-2019-8743 https://access.redhat.com/security/cve/CVE-2019-8764 https://access.redhat.com/security/cve/CVE-2019-8766 https://access.redhat.com/security/cve/CVE-2019-8769 https://access.redhat.com/security/cve/CVE-2019-8771 https://access.redhat.com/security/cve/CVE-2019-8782 https://access.redhat.com/security/cve/CVE-2019-8783 https://access.redhat.com/security/cve/CVE-2019-8808 https://access.redhat.com/security/cve/CVE-2019-8811 https://access.redhat.com/security/cve/CVE-2019-8812 https://access.redhat.com/security/cve/CVE-2019-8813 https://access.redhat.com/security/cve/CVE-2019-8814 https://access.redhat.com/security/cve/CVE-2019-8815 https://access.redhat.com/security/cve/CVE-2019-8816 https://access.redhat.com/security/cve/CVE-2019-8819 https://access.redhat.com/security/cve/CVE-2019-8820 https://access.redhat.com/security/cve/CVE-2019-8823 https://access.redhat.com/security/cve/CVE-2019-8835 https://access.redhat.com/security/cve/CVE-2019-8844 https://access.redhat.com/security/cve/CVE-2019-8846 https://access.redhat.com/security/cve/CVE-2019-9169 https://access.redhat.com/security/cve/CVE-2019-13050 https://access.redhat.com/security/cve/CVE-2019-13627 https://access.redhat.com/security/cve/CVE-2019-14889 https://access.redhat.com/security/cve/CVE-2019-15903 https://access.redhat.com/security/cve/CVE-2019-19906 https://access.redhat.com/security/cve/CVE-2019-20454 https://access.redhat.com/security/cve/CVE-2019-20807 https://access.redhat.com/security/cve/CVE-2019-25013 https://access.redhat.com/security/cve/CVE-2020-1730 https://access.redhat.com/security/cve/CVE-2020-3862 https://access.redhat.com/security/cve/CVE-2020-3864 https://access.redhat.com/security/cve/CVE-2020-3865 https://access.redhat.com/security/cve/CVE-2020-3867 https://access.redhat.com/security/cve/CVE-2020-3868 https://access.redhat.com/security/cve/CVE-2020-3885 https://access.redhat.com/security/cve/CVE-2020-3894 https://access.redhat.com/security/cve/CVE-2020-3895 https://access.redhat.com/security/cve/CVE-2020-3897 https://access.redhat.com/security/cve/CVE-2020-3899 https://access.redhat.com/security/cve/CVE-2020-3900 https://access.redhat.com/security/cve/CVE-2020-3901 https://access.redhat.com/security/cve/CVE-2020-3902 https://access.redhat.com/security/cve/CVE-2020-8927 https://access.redhat.com/security/cve/CVE-2020-9802 https://access.redhat.com/security/cve/CVE-2020-9803 https://access.redhat.com/security/cve/CVE-2020-9805 https://access.redhat.com/security/cve/CVE-2020-9806 https://access.redhat.com/security/cve/CVE-2020-9807 https://access.redhat.com/security/cve/CVE-2020-9843 https://access.redhat.com/security/cve/CVE-2020-9850 https://access.redhat.com/security/cve/CVE-2020-9862 https://access.redhat.com/security/cve/CVE-2020-9893 https://access.redhat.com/security/cve/CVE-2020-9894 https://access.redhat.com/security/cve/CVE-2020-9895 https://access.redhat.com/security/cve/CVE-2020-9915 https://access.redhat.com/security/cve/CVE-2020-9925 https://access.redhat.com/security/cve/CVE-2020-9952 https://access.redhat.com/security/cve/CVE-2020-10018 https://access.redhat.com/security/cve/CVE-2020-11793 https://access.redhat.com/security/cve/CVE-2020-13434 https://access.redhat.com/security/cve/CVE-2020-14391 https://access.redhat.com/security/cve/CVE-2020-15358 https://access.redhat.com/security/cve/CVE-2020-15503 https://access.redhat.com/security/cve/CVE-2020-25660 https://access.redhat.com/security/cve/CVE-2020-25677 https://access.redhat.com/security/cve/CVE-2020-27618 https://access.redhat.com/security/cve/CVE-2020-27781 https://access.redhat.com/security/cve/CVE-2020-29361 https://access.redhat.com/security/cve/CVE-2020-29362 https://access.redhat.com/security/cve/CVE-2020-29363 https://access.redhat.com/security/cve/CVE-2021-3121 https://access.redhat.com/security/cve/CVE-2021-3326 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-3450 https://access.redhat.com/security/cve/CVE-2021-3516 https://access.redhat.com/security/cve/CVE-2021-3517 https://access.redhat.com/security/cve/CVE-2021-3518 https://access.redhat.com/security/cve/CVE-2021-3520 https://access.redhat.com/security/cve/CVE-2021-3521 https://access.redhat.com/security/cve/CVE-2021-3537 https://access.redhat.com/security/cve/CVE-2021-3541 https://access.redhat.com/security/cve/CVE-2021-3733 https://access.redhat.com/security/cve/CVE-2021-3749 https://access.redhat.com/security/cve/CVE-2021-20305 https://access.redhat.com/security/cve/CVE-2021-21684 https://access.redhat.com/security/cve/CVE-2021-22946 https://access.redhat.com/security/cve/CVE-2021-22947 https://access.redhat.com/security/cve/CVE-2021-25215 https://access.redhat.com/security/cve/CVE-2021-27218 https://access.redhat.com/security/cve/CVE-2021-30666 https://access.redhat.com/security/cve/CVE-2021-30761 https://access.redhat.com/security/cve/CVE-2021-30762 https://access.redhat.com/security/cve/CVE-2021-33928 https://access.redhat.com/security/cve/CVE-2021-33929 https://access.redhat.com/security/cve/CVE-2021-33930 https://access.redhat.com/security/cve/CVE-2021-33938 https://access.redhat.com/security/cve/CVE-2021-36222 https://access.redhat.com/security/cve/CVE-2021-37750 https://access.redhat.com/security/cve/CVE-2021-39226 https://access.redhat.com/security/cve/CVE-2021-41190 https://access.redhat.com/security/cve/CVE-2021-43813 https://access.redhat.com/security/cve/CVE-2021-44716 https://access.redhat.com/security/cve/CVE-2021-44717 https://access.redhat.com/security/cve/CVE-2022-0532 https://access.redhat.com/security/cve/CVE-2022-21673 https://access.redhat.com/security/cve/CVE-2022-24407 https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYipqONzjgjWX9erEAQjQcBAAgWTjA6Q2NgqfVf63ZpJF1jPurZLPqxDL 0in/5+/wqWaiQ6yk7wM3YBZgviyKnAMCVdrLsaR7R77BvfJcTE3W/fzogxpp6Rne eGT1PTgQRecrSIn+WG4gGSteavTULWOIoPvUiNpiy3Y7fFgjFdah+Nyx3Xd+xehM CEswylOd6Hr03KZ1tS3XL3kGL2botha48Yls7FzDFbNcy6TBAuycmQZifKu8mHaF aDAupVJinDnnVgACeS6CnZTAD+Vrx5W7NIisteXv4x5Hy+jBIUHr8Yge3oxYoFnC Y/XmuOw2KilLZuqFe+KHig45qT+FmNU8E1egcGpNWvmS8hGZfiG1jEQAqDPbZHxp sQAQZLQyz3TvXa29vp4QcsUuMxndIOi+QaK75JmqE06MqMIlFDYpr6eQOIgIZvFO RDZU/qvBjh56ypInoqInBf8KOQMy6eO+r6nFbMGcAfucXmz0EVcSP1oFHAoA1nWN rs1Qz/SO4CvdPERxcr1MLuBLggZ6iqGmHKk5IN0SwcndBHaVJ3j/LBv9m7wBYVry bSvojBDYx5ricbTwB5sGzu7oH5yVl813FA9cjkFpEhBiMtTfI+DKC8ssoRYNHd5Z 7gLW6KWPUIDuCIiiioPZAJMyvJ0IMrNDoQ0lhqPeV7PFdlRhT95M/DagUZOpPVuT b5PUYUBIZLc= =GUDA -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Description:
Red Hat Advanced Cluster Management for Kubernetes 2.1.6 images
Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in.
Bug fixes:
-
RHACM 2.1.6 images (BZ#1940581)
-
When generating the import cluster string, it can include unescaped characters (BZ#1934184)
-
Bugs fixed (https://bugzilla.redhat.com/):
1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash 1929338 - CVE-2020-35149 mquery: Code injection via merge or clone operation 1934184 - When generating the import cluster string, it can include unescaped characters 1940581 - RHACM 2.1.6 images
-
Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
-
This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.
This release adds the new Apache HTTP Server 2.4.37 Service Pack 7 packages that are part of the JBoss Core Services offering. Solution:
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
The References section of this erratum contains a download link for the update. You must be logged in to download the update. Bugs fixed (https://bugzilla.redhat.com/):
1941547 - CVE-2021-3450 openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT 1941554 - CVE-2021-3449 openssl: NULL pointer dereference in signature_algorithms processing
- It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202103-1463",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "storagegrid",
"scope": "eq",
"trust": 2.0,
"vendor": "netapp",
"version": null
},
{
"model": "graalvm",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "20.3.1.2"
},
{
"model": "mysql workbench",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.23"
},
{
"model": "node.js",
"scope": "lt",
"trust": 1.0,
"vendor": "nodejs",
"version": "15.14.0"
},
{
"model": "cloud volumes ontap mediator",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "commerce guided search",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.3.2"
},
{
"model": "nessus network monitor",
"scope": "eq",
"trust": 1.0,
"vendor": "tenable",
"version": "5.12.1"
},
{
"model": "peoplesoft enterprise peopletools",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.59"
},
{
"model": "web gateway cloud service",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "9.2.10"
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "10.0.0"
},
{
"model": "graalvm",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "21.0.0.2"
},
{
"model": "jd edwards world security",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "a9.4"
},
{
"model": "nessus network monitor",
"scope": "eq",
"trust": 1.0,
"vendor": "tenable",
"version": "5.11.0"
},
{
"model": "secure backup",
"scope": "lt",
"trust": 1.0,
"vendor": "oracle",
"version": "18.1.0.1.0"
},
{
"model": "mysql connectors",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.23"
},
{
"model": "nessus network monitor",
"scope": "eq",
"trust": 1.0,
"vendor": "tenable",
"version": "5.13.0"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "10.1.1"
},
{
"model": "secure global desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "5.6"
},
{
"model": "mysql server",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "5.7.33"
},
{
"model": "sonicos",
"scope": "lte",
"trust": 1.0,
"vendor": "sonicwall",
"version": "7.0.1-r1456"
},
{
"model": "sma100",
"scope": "lt",
"trust": 1.0,
"vendor": "sonicwall",
"version": "10.2.1.0-17sv"
},
{
"model": "santricity smi-s provider",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "jd edwards enterpriseone tools",
"scope": "lt",
"trust": 1.0,
"vendor": "oracle",
"version": "9.2.6.0"
},
{
"model": "nessus network monitor",
"scope": "eq",
"trust": 1.0,
"vendor": "tenable",
"version": "5.11.1"
},
{
"model": "node.js",
"scope": "lt",
"trust": 1.0,
"vendor": "nodejs",
"version": "14.16.1"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "windriver",
"version": "17.0"
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "14.0.0"
},
{
"model": "web gateway cloud service",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "8.2.19"
},
{
"model": "oncommand workflow automation",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "web gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "9.2.10"
},
{
"model": "mysql server",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.15"
},
{
"model": "capture client",
"scope": "lt",
"trust": 1.0,
"vendor": "sonicwall",
"version": "3.6.24"
},
{
"model": "openssl",
"scope": "gte",
"trust": 1.0,
"vendor": "openssl",
"version": "1.1.1h"
},
{
"model": "nessus network monitor",
"scope": "eq",
"trust": 1.0,
"vendor": "tenable",
"version": "5.12.0"
},
{
"model": "node.js",
"scope": "lt",
"trust": 1.0,
"vendor": "nodejs",
"version": "10.24.1"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 1.0,
"vendor": "freebsd",
"version": "12.2"
},
{
"model": "mysql enterprise monitor",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.23"
},
{
"model": "nessus",
"scope": "lte",
"trust": 1.0,
"vendor": "tenable",
"version": "8.13.1"
},
{
"model": "enterprise manager for storage management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "13.4.0.0"
},
{
"model": "peoplesoft enterprise peopletools",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.57"
},
{
"model": "weblogic server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.1.1.0.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "windriver",
"version": null
},
{
"model": "weblogic server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.4.0"
},
{
"model": "node.js",
"scope": "lt",
"trust": 1.0,
"vendor": "nodejs",
"version": "12.22.1"
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "12.0.0"
},
{
"model": "mysql server",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.23"
},
{
"model": "ontap select deploy administration utility",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "34"
},
{
"model": "nessus agent",
"scope": "lte",
"trust": 1.0,
"vendor": "tenable",
"version": "8.2.3"
},
{
"model": "nessus agent",
"scope": "gte",
"trust": 1.0,
"vendor": "tenable",
"version": "8.2.1"
},
{
"model": "graalvm",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "19.3.5"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "8.2.19"
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "15.0.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "windriver",
"version": "18.0"
},
{
"model": "web gateway cloud service",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "10.1.1"
},
{
"model": "email security",
"scope": "lt",
"trust": 1.0,
"vendor": "sonicwall",
"version": "10.0.11"
},
{
"model": "openssl",
"scope": "lt",
"trust": 1.0,
"vendor": "openssl",
"version": "1.1.1k"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "windriver",
"version": "19.0"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-3450"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "162699"
},
{
"db": "PACKETSTORM",
"id": "163209"
},
{
"db": "PACKETSTORM",
"id": "166279"
},
{
"db": "PACKETSTORM",
"id": "162183"
},
{
"db": "PACKETSTORM",
"id": "162337"
},
{
"db": "PACKETSTORM",
"id": "162196"
},
{
"db": "PACKETSTORM",
"id": "162197"
},
{
"db": "PACKETSTORM",
"id": "162201"
}
],
"trust": 0.8
},
"cve": "CVE-2021-3450",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2021-3450",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-388430",
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"id": "CVE-2021-3450",
"impactScore": 5.2,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-3450",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-388430",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2021-3450",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-388430"
},
{
"db": "VULMON",
"id": "CVE-2021-3450"
},
{
"db": "NVD",
"id": "CVE-2021-3450"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a \"purpose\" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named \"purpose\" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j). OpenSSL is an open source general encryption library of the Openssl team that can implement the Secure Sockets Layer (SSLv2/v3) and Transport Layer Security (TLSv1) protocols. The product supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, secure hash algorithms, etc. On March 25, 2021, the OpenSSL Project released a security advisory, OpenSSL Security Advisory [25 March 2021], that disclosed two vulnerabilities. \nExploitation of these vulnerabilities could allow an malicious user to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition. \nThis advisory is available at the following link:tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd. \n\nThis issue was reported to OpenSSL on 18th March 2021 by Benjamin Kaduk\nfrom Akamai and was discovered by Xiang Ding and others at Akamai. The fix was\ndeveloped by Tom\u00e1\u0161 Mr\u00e1z. \n\n\nNULL pointer deref in signature_algorithms processing (CVE-2021-3449)\n=====================================================================\n\nSeverity: High\n\nAn OpenSSL TLS server may crash if sent a maliciously crafted renegotiation\nClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits\nthe signature_algorithms extension (where it was present in the initial\nClientHello), but includes a signature_algorithms_cert extension then a NULL\npointer dereference will result, leading to a crash and a denial of service\nattack. \n\nA server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which\nis the default configuration). \n\nThis issue was reported to OpenSSL on 17th March 2021 by Nokia. The fix was\ndeveloped by Peter K\u00e4stle and Samuel Sapalski from Nokia. \n\nNote\n====\n\nOpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended\nsupport is available for premium support customers:\nhttps://www.openssl.org/support/contracts.html\n\nOpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. \n\nReferences\n==========\n\nURL for this Security Advisory:\nhttps://www.openssl.org/news/secadv/20210325.txt\n\nNote: the online version of the advisory may be updated with additional details\nover time. \n\nFor details of OpenSSL severity classifications please see:\nhttps://www.openssl.org/policies/secpolicy.html\n. \n\nBug Fix(es):\n\nThis update includes various bug fixes and enhancements. Bugs fixed (https://bugzilla.redhat.com/):\n\n1803849 - [RFE] Include per volume encryption with Vault integration in RHCS 4.1\n1814681 - [RFE] use topologySpreadConstraints to evenly spread OSDs across hosts\n1840004 - CVE-2020-7608 nodejs-yargs-parser: prototype pollution vulnerability\n1850089 - OBC CRD is outdated and leads to missing columns in get queries\n1860594 - Toolbox pod should have toleration for OCS tainted nodes\n1861104 - OCS podDisruptionBudget prevents successful OCP upgrades\n1861878 - [RFE] use appropriate PDB values for OSD\n1866301 - [RHOCS Usability Study][Installation] \u201cCreate storage cluster\u201d should be a part of the installation flow or need to be emphasized as a crucial step. \n1915261 - Deleted MCG CRs are stuck in a \u0027Deleting\u0027 state\n1915445 - Uninstall 4.7: Storagecluster deletion stuck on a partially created KMS enabled OCS cluster + support TLS configuration for KMS\n1915644 - update noobaa db label in must-gather to collect db pod in noobaa dir\n1915698 - There is missing noobaa-core-0 pod after upgrade from OCS 4.6 to OCS 4.7\n1915706 - [Azure][RBD] PV taking longer time ~ 9 minutes to get deleted\n1915730 - [ocs-operator] Create public route for ceph-rgw service\n1915737 - Improve ocs-operator logging during uninstall to be more verbose, to understand reasons for failures - e.g. In addition to persistent storage, Red Hat\nOpenShift Container Storage provisions a multicloud data management service\nwith an S3 compatible API. \n\nSecurity Fix(es):\n\n* NooBaa: noobaa-operator leaking RPC AuthToken into log files\n(CVE-2021-3528)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section. \n\nBug Fix(es):\n\n* Currently, a newly restored PVC cannot be mounted if some of the\nOpenShift Container Platform nodes are running on a version of Red Hat\nEnterprise Linux which is less than 8.2, and the snapshot from which the\nPVC was restored is deleted. \nWorkaround: Do not delete the snapshot from which the PVC was restored\nuntil the restored PVC is deleted. (BZ#1962483)\n\n* Previously, the default backingstore was not created on AWS S3 when\nOpenShift Container Storage was deployed, due to incorrect identification\nof AWS S3. With this update, the default backingstore gets created when\nOpenShift Container Storage is deployed on AWS S3. (BZ#1927307)\n\n* Previously, log messages were printed to the endpoint pod log even if the\ndebug option was not set. With this update, the log messages are printed to\nthe endpoint pod log only when the debug option is set. (BZ#1938106)\n\n* Previously, the PVCs could not be provisioned as the `rook-ceph-mds` did\nnot register the pod IP on the monitor servers, and hence every mount on\nthe filesystem timed out, resulting in CephFS volume provisioning failure. \nWith this update, an argument `--public-addr=podIP` is added to the MDS pod\nwhen the host network is not enabled, and hence the CephFS volume\nprovisioning does not fail. (BZ#1949558)\n\n* Previously, OpenShift Container Storage 4.2 clusters were not updated\nwith the correct cache value, and hence MDSs in standby-replay might report\nan oversized cache, as rook did not apply the `mds_cache_memory_limit`\nargument during upgrades. With this update, the `mds_cache_memory_limit`\nargument is applied during upgrades and the mds daemon operates normally. \n(BZ#1951348)\n\n* Previously, the coredumps were not generated in the correct location as\nrook was setting the config option `log_file` to an empty string since\nlogging happened on stdout and not on the files, and hence Ceph read the\nvalue of the `log_file` to build the dump path. With this update, rook does\nnot set the `log_file` and keeps Ceph\u0027s internal default, and hence the\ncoredumps are generated in the correct location and are accessible under\n`/var/log/ceph/`. (BZ#1938049)\n\n* Previously, Ceph became inaccessible, as the mons lose quorum if a mon\npod was drained while another mon was failing over. With this update,\nvoluntary mon drains are prevented while a mon is failing over, and hence\nCeph does not become inaccessible. (BZ#1946573)\n\n* Previously, the mon quorum was at risk, as the operator could erroneously\nremove the new mon if the operator was restarted during a mon failover. \nWith this update, the operator completes the same mon failover after the\noperator is restarted, and hence the mon quorum is more reliable in the\nnode drains and mon failover scenarios. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1938106 - [GSS][RFE]Reduce debug level for logs of Nooba Endpoint pod\n1950915 - XSS Vulnerability with Noobaa version 5.5.0-3bacc6b\n1951348 - [GSS][CephFS] health warning \"MDS cache is too large (3GB/1GB); 0 inodes in use by clients, 0 stray files\" for the standby-replay\n1951600 - [4.6.z][Clone of BZ #1936545] setuid and setgid file bits are not retained after a OCS CephFS CSI restore\n1955601 - CVE-2021-3528 NooBaa: noobaa-operator leaking RPC AuthToken into log files\n1957189 - [Rebase] Use RHCS4.2z1 container image with OCS 4..6.5[may require doc update for external mode min supported RHCS version]\n1959980 - When a node is being drained, increase the mon failover timeout to prevent unnecessary mon failover\n1959983 - [GSS][mon] rook-operator scales mons to 4 after healthCheck timeout\n1962483 - [RHEL7][RBD][4.6.z clone] FailedMount error when using restored PVC on app pod\n\n5. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: OpenShift Container Platform 4.10.3 security update\nAdvisory ID: RHSA-2022:0056-01\nProduct: Red Hat OpenShift Enterprise\nAdvisory URL: https://access.redhat.com/errata/RHSA-2022:0056\nIssue date: 2022-03-10\nCVE Names: CVE-2014-3577 CVE-2016-10228 CVE-2017-14502 \n CVE-2018-20843 CVE-2018-1000858 CVE-2019-8625 \n CVE-2019-8710 CVE-2019-8720 CVE-2019-8743 \n CVE-2019-8764 CVE-2019-8766 CVE-2019-8769 \n CVE-2019-8771 CVE-2019-8782 CVE-2019-8783 \n CVE-2019-8808 CVE-2019-8811 CVE-2019-8812 \n CVE-2019-8813 CVE-2019-8814 CVE-2019-8815 \n CVE-2019-8816 CVE-2019-8819 CVE-2019-8820 \n CVE-2019-8823 CVE-2019-8835 CVE-2019-8844 \n CVE-2019-8846 CVE-2019-9169 CVE-2019-13050 \n CVE-2019-13627 CVE-2019-14889 CVE-2019-15903 \n CVE-2019-19906 CVE-2019-20454 CVE-2019-20807 \n CVE-2019-25013 CVE-2020-1730 CVE-2020-3862 \n CVE-2020-3864 CVE-2020-3865 CVE-2020-3867 \n CVE-2020-3868 CVE-2020-3885 CVE-2020-3894 \n CVE-2020-3895 CVE-2020-3897 CVE-2020-3899 \n CVE-2020-3900 CVE-2020-3901 CVE-2020-3902 \n CVE-2020-8927 CVE-2020-9802 CVE-2020-9803 \n CVE-2020-9805 CVE-2020-9806 CVE-2020-9807 \n CVE-2020-9843 CVE-2020-9850 CVE-2020-9862 \n CVE-2020-9893 CVE-2020-9894 CVE-2020-9895 \n CVE-2020-9915 CVE-2020-9925 CVE-2020-9952 \n CVE-2020-10018 CVE-2020-11793 CVE-2020-13434 \n CVE-2020-14391 CVE-2020-15358 CVE-2020-15503 \n CVE-2020-25660 CVE-2020-25677 CVE-2020-27618 \n CVE-2020-27781 CVE-2020-29361 CVE-2020-29362 \n CVE-2020-29363 CVE-2021-3121 CVE-2021-3326 \n CVE-2021-3449 CVE-2021-3450 CVE-2021-3516 \n CVE-2021-3517 CVE-2021-3518 CVE-2021-3520 \n CVE-2021-3521 CVE-2021-3537 CVE-2021-3541 \n CVE-2021-3733 CVE-2021-3749 CVE-2021-20305 \n CVE-2021-21684 CVE-2021-22946 CVE-2021-22947 \n CVE-2021-25215 CVE-2021-27218 CVE-2021-30666 \n CVE-2021-30761 CVE-2021-30762 CVE-2021-33928 \n CVE-2021-33929 CVE-2021-33930 CVE-2021-33938 \n CVE-2021-36222 CVE-2021-37750 CVE-2021-39226 \n CVE-2021-41190 CVE-2021-43813 CVE-2021-44716 \n CVE-2021-44717 CVE-2022-0532 CVE-2022-21673 \n CVE-2022-24407 \n=====================================================================\n\n1. Summary:\n\nRed Hat OpenShift Container Platform release 4.10.3 is now available with\nupdates to packages and images that fix several bugs and add enhancements. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Description:\n\nRed Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments. \n\nThis advisory contains the container images for Red Hat OpenShift Container\nPlatform 4.10.3. See the following advisory for the RPM packages for this\nrelease:\n\nhttps://access.redhat.com/errata/RHSA-2022:0055\n\nSpace precludes documenting all of the container images in this advisory. \nSee the following Release Notes documentation, which will be updated\nshortly for this release, for details about these changes:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nSecurity Fix(es):\n\n* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index\nvalidation (CVE-2021-3121)\n* grafana: Snapshot authentication bypass (CVE-2021-39226)\n* golang: net/http: limit growth of header canonicalization cache\n(CVE-2021-44716)\n* nodejs-axios: Regular expression denial of service in trim function\n(CVE-2021-3749)\n* golang: syscall: don\u0027t close fd 0 on ForkExec error (CVE-2021-44717)\n* grafana: Forward OAuth Identity Token can allow users to access some data\nsources (CVE-2022-21673)\n* grafana: directory traversal vulnerability (CVE-2021-43813)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nYou may download the oc tool and use it to inspect release image metadata\nas follows:\n\n(For x86_64 architecture)\n\n$ oc adm release info\nquay.io/openshift-release-dev/ocp-release:4.10.3-x86_64\n\nThe image digest is\nsha256:7ffe4cd612be27e355a640e5eec5cd8f923c1400d969fd590f806cffdaabcc56\n\n(For s390x architecture)\n\n $ oc adm release info\nquay.io/openshift-release-dev/ocp-release:4.10.3-s390x\n\nThe image digest is\nsha256:4cf21a9399da1ce8427246f251ae5dedacfc8c746d2345f9cfe039ed9eda3e69\n\n(For ppc64le architecture)\n\n $ oc adm release info\nquay.io/openshift-release-dev/ocp-release:4.10.3-ppc64le\n\nThe image digest is\nsha256:4ee571da1edf59dfee4473aa4604aba63c224bf8e6bcf57d048305babbbde93c\n\nAll OpenShift Container Platform 4.10 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift Console\nor the CLI oc command. Instructions for upgrading a cluster are available\nat\nhttps://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html\n\n3. Solution:\n\nFor OpenShift Container Platform 4.10 see the following documentation,\nwhich will be updated shortly for this release, for moderate instructions\non how to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1808240 - Always return metrics value for pods under the user\u0027s namespace\n1815189 - feature flagged UI does not always become available after operator installation\n1825034 - e2e: Mock CSI tests fail on IBM ROKS clusters\n1826225 - edge terminated h2 (gRPC) connections need a haproxy template change to work correctly\n1860774 - csr for vSphere egress nodes were not approved automatically during cert renewal\n1878106 - token inactivity timeout is not shortened after oauthclient/oauth config values are lowered\n1878925 - \u0027oc adm upgrade --to ...\u0027 rejects versions which occur only in history, while the cluster-version operator supports history fallback\n1880738 - origin e2e test deletes original worker\n1882983 - oVirt csi driver should refuse to provision RWX and ROX PV\n1886450 - Keepalived router id check not documented for RHV/VMware IPI\n1889488 - The metrics endpoint for the Scheduler is not protected by RBAC\n1894431 - Router pods fail to boot if the SSL certificate applied is missing an empty line at the bottom\n1896474 - Path based routing is broken for some combinations\n1897431 - CIDR support for additional network attachment with the bridge CNI plug-in\n1903408 - NodePort externalTrafficPolicy does not work for ovn-kubernetes\n1907433 - Excessive logging in image operator\n1909906 - The router fails with PANIC error when stats port already in use\n1911173 - [MSTR-998] Many charts\u0027 legend names show {{}} instead of words\n1914053 - pods assigned with Multus whereabouts IP get stuck in ContainerCreating state after node rebooting. \n1916169 - a reboot while MCO is applying changes leaves the node in undesirable state and MCP looks fine (UPDATED=true)\n1917893 - [ovirt] install fails: due to terraform error \"Cannot attach Virtual Disk: Disk is locked\" on vm resource\n1921627 - GCP UPI installation failed due to exceeding gcp limitation of instance group name\n1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation\n1926522 - oc adm catalog does not clean temporary files\n1927478 - Default CatalogSources deployed by marketplace do not have toleration for tainted nodes. \n1928141 - kube-storage-version-migrator constantly reporting type \"Upgradeable\" status Unknown\n1928285 - [LSO][OCS][arbiter] OCP Console shows no results while in fact underlying setup of LSO localvolumeset and it\u0027s storageclass is not yet finished, confusing users\n1931594 - [sig-cli] oc --request-timeout works as expected fails frequently on s390x\n1933847 - Prometheus goes unavailable (both instances down) during 4.8 upgrade\n1937085 - RHV UPI inventory playbook missing guarantee_memory\n1937196 - [aws ebs csi driver] events for block volume expansion may cause confusion\n1938236 - vsphere-problem-detector does not support overriding log levels via storage CR\n1939401 - missed labels for CMO/openshift-state-metric/telemeter-client/thanos-querier pods\n1939435 - Setting an IPv6 address in noProxy field causes error in openshift installer\n1939552 - [sig-api-machinery] CustomResourcePublishOpenAPI [Privileged:ClusterAdmin] works for CRD preserving unknown fields in an embedded object [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]\n1942913 - ThanosSidecarUnhealthy isn\u0027t resilient to WAL replays. \n1943363 - [ovn] CNO should gracefully terminate ovn-northd\n1945274 - ostree-finalize-staged.service failed while upgrading a rhcos node to 4.6.17\n1948080 - authentication should not set Available=False APIServices_Error with 503s\n1949262 - Prometheus Statefulsets should have 2 replicas and hard affinity set\n1949672 - [GCP] Update 4.8 UPI template to match ignition version: 3.2.0\n1950827 - [LSO] localvolumediscoveryresult name is not friendly to customer\n1952576 - csv_succeeded metric not present in olm-operator for all successful CSVs\n1953264 - \"remote error: tls: bad certificate\" logs in prometheus-operator container\n1955300 - Machine config operator reports unavailable for 23m during upgrade\n1955489 - Alertmanager Statefulsets should have 2 replicas and hard affinity set\n1955490 - Thanos ruler Statefulsets should have 2 replicas and hard affinity set\n1955544 - [IPI][OSP] densed master-only installation with 0 workers fails due to missing worker security group on masters\n1956496 - Needs SR-IOV Docs Upstream\n1956739 - Permission for authorized_keys for core user changes from core user to root when changed the pull secret\n1956776 - [vSphere] Installer should do pre-check to ensure user-provided network name is valid\n1956964 - upload a boot-source to OpenShift virtualization using the console\n1957547 - [RFE]VM name is not auto filled in dev console\n1958349 - ovn-controller doesn\u0027t release the memory after cluster-density run\n1959352 - [scale] failed to get pod annotation: timed out waiting for annotations\n1960378 - icsp allows mirroring of registry root - install-config imageContentSources does not\n1960674 - Broken test: [sig-imageregistry][Serial][Suite:openshift/registry/serial] Image signature workflow can push a signed image to openshift registry and verify it [Suite:openshift/conformance/serial]\n1961317 - storage ClusterOperator does not declare ClusterRoleBindings in relatedObjects\n1961391 - String updates\n1961509 - DHCP daemon pod should have CPU and memory requests set but not limits\n1962066 - Edit machine/machineset specs not working\n1962206 - openshift-multus/dhcp-daemon set should meet platform requirements for update strategy that have maxUnavailable update of 10 or 33 percent\n1963053 - `oc whoami --show-console` should show the web console URL, not the server api URL\n1964112 - route SimpleAllocationPlugin: host name validation errors: spec.host: Invalid value: ... must be no more than 63 characters\n1964327 - Support containers with name:tag@digest\n1964789 - Send keys and disconnect does not work for VNC console\n1965368 - ClusterQuotaAdmission received non-meta object - message constantly reported in OpenShift Container Platform 4.7\n1966445 - Unmasking a service doesn\u0027t work if it masked using MCO\n1966477 - Use GA version in KAS/OAS/OauthAS to avoid: \"audit.k8s.io/v1beta1\" is deprecated and will be removed in a future release, use \"audit.k8s.io/v1\" instead\n1966521 - kube-proxy\u0027s userspace implementation consumes excessive CPU\n1968364 - [Azure] when using ssh type ed25519 bootstrap fails to come up\n1970021 - nmstate does not persist its configuration due to overlay systemd-connections-merged mount\n1970218 - MCO writes incorrect file contents if compression field is specified\n1970331 - [sig-auth][Feature:SCC][Early] should not have pod creation failures during install [Suite:openshift/conformance/parallel]\n1970805 - Cannot create build when docker image url contains dir structure\n1972033 - [azure] PV region node affinity is failure-domain.beta.kubernetes.io instead of topology.kubernetes.io\n1972827 - image registry does not remain available during upgrade\n1972962 - Should set the minimum value for the `--max-icsp-size` flag of `oc adm catalog mirror`\n1973447 - ovn-dbchecker peak memory spikes to ~500MiB during cluster-density run\n1975826 - ovn-kubernetes host directed traffic cannot be offloaded as CT zone 64000 is not established\n1976301 - [ci] e2e-azure-upi is permafailing\n1976399 - During the upgrade from OpenShift 4.5 to OpenShift 4.6 the election timers for the OVN north and south databases did not change. \n1976674 - CCO didn\u0027t set Upgradeable to False when cco mode is configured to Manual on azure platform\n1976894 - Unidling a StatefulSet does not work as expected\n1977319 - [Hive] Remove stale cruft installed by CVO in earlier releases\n1977414 - Build Config timed out waiting for condition 400: Bad Request\n1977929 - [RFE] Display Network Attachment Definitions from openshift-multus namespace during OCS deployment via UI using Multus\n1978528 - systemd-coredump started and failed intermittently for unknown reasons\n1978581 - machine-config-operator: remove runlevel from mco namespace\n1979562 - Cluster operators: don\u0027t show messages when neither progressing, degraded or unavailable\n1979962 - AWS SDN Network Stress tests have not passed in 4.9 release-openshift-origin-installer-e2e-aws-sdn-network-stress-4.9\n1979966 - OCP builds always fail when run on RHEL7 nodes\n1981396 - Deleting pool inside pool page the pool stays in Ready phase in the heading\n1981549 - Machine-config daemon does not recover from broken Proxy configuration\n1981867 - [sig-cli] oc explain should contain proper fields description for special types [Suite:openshift/conformance/parallel]\n1981941 - Terraform upgrade required in openshift-installer to resolve multiple issues\n1982063 - \u0027Control Plane\u0027 is not translated in Simplified Chinese language in Home-\u003eOverview page\n1982498 - Default registry credential path should be adjusted to use containers/auth.json for oc commands\n1982662 - Workloads - DaemonSets - Add storage: i18n misses\n1982726 - kube-apiserver audit logs show a lot of 404 errors for DELETE \"*/secrets/encryption-config\" on single node clusters\n1983758 - upgrades are failing on disruptive tests\n1983964 - Need Device plugin configuration for the NIC \"needVhostNet\" \u0026 \"isRdma\"\n1984592 - global pull secret not working in OCP4.7.4+ for additional private registries\n1985073 - new-in-4.8 ExtremelyHighIndividualControlPlaneCPU fires on some GCP update jobs\n1985486 - Cluster Proxy not used during installation on OSP with Kuryr\n1985724 - VM Details Page missing translations\n1985838 - [OVN] CNO exportNetworkFlows does not clear collectors when deleted\n1985933 - Downstream image registry recommendation\n1985965 - oVirt CSI driver does not report volume stats\n1986216 - [scale] SNO: Slow Pod recovery due to \"timed out waiting for OVS port binding\"\n1986237 - \"MachineNotYetDeleted\" in Pending state , alert not fired\n1986239 - crictl create fails with \"PID namespace requested, but sandbox infra container invalid\"\n1986302 - console continues to fetch prometheus alert and silences for normal user\n1986314 - Current MTV installation for KubeVirt import flow creates unusable Forklift UI\n1986338 - error creating list of resources in Import YAML\n1986502 - yaml multi file dnd duplicates previous dragged files\n1986819 - fix string typos for hot-plug disks\n1987044 - [OCPV48] Shutoff VM is being shown as \"Starting\" in WebUI when using spec.runStrategy Manual/RerunOnFailure\n1987136 - Declare operatorframework.io/arch.* labels for all operators\n1987257 - Go-http-client user-agent being used for oc adm mirror requests\n1987263 - fsSpaceFillingUpWarningThreshold not aligned to Kubernetes Garbage Collection Threshold\n1987445 - MetalLB integration: All gateway routers in the cluster answer ARP requests for LoadBalancer services IP\n1988406 - SSH key dropped when selecting \"Customize virtual machine\" in UI\n1988440 - Network operator changes ovnkube-config too early causing ovnkube-master pods to crashloop during cluster upgrade\n1988483 - Azure drop ICMP need to frag FRAG when using OVN: openshift-apiserver becomes False after env runs some time due to communication between one master to pods on another master fails with \"Unable to connect to the server\"\n1988879 - Virtual media based deployment fails on Dell servers due to pending Lifecycle Controller jobs\n1989438 - expected replicas is wrong\n1989502 - Developer Catalog is disappearing after short time\n1989843 - \u0027More\u0027 and \u0027Show Less\u0027 functions are not translated on several page\n1990014 - oc debug \u003cpod-name\u003e does not work for Windows pods\n1990190 - e2e testing failed with basic manifest: reason/ExternalProvisioning waiting for a volume to be created\n1990193 - \u0027more\u0027 and \u0027Show Less\u0027 is not being translated on Home -\u003e Search page\n1990255 - Partial or all of the Nodes/StorageClasses don\u0027t appear back on UI after text is removed from search bar\n1990489 - etcdHighNumberOfFailedGRPCRequests fires only on metal env in CI\n1990506 - Missing udev rules in initramfs for /dev/disk/by-id/scsi-* symlinks\n1990556 - get-resources.sh doesn\u0027t honor the no_proxy settings even with no_proxy var\n1990625 - Ironic agent registers with SLAAC address with privacy-stable\n1990635 - CVO does not recognize the channel change if desired version and channel changed at the same time\n1991067 - github.com can not be resolved inside pods where cluster is running on openstack. \n1991573 - Enable typescript strictNullCheck on network-policies files\n1991641 - Baremetal Cluster Operator still Available After Delete Provisioning\n1991770 - The logLevel and operatorLogLevel values do not work with Cloud Credential Operator\n1991819 - Misspelled word \"ocurred\" in oc inspect cmd\n1991942 - Alignment and spacing fixes\n1992414 - Two rootdisks show on storage step if \u0027This is a CD-ROM boot source\u0027 is checked\n1992453 - The configMap failed to save on VM environment tab\n1992466 - The button \u0027Save\u0027 and \u0027Reload\u0027 are not translated on vm environment tab\n1992475 - The button \u0027Open console in New Window\u0027 and \u0027Disconnect\u0027 are not translated on vm console tab\n1992509 - Could not customize boot source due to source PVC not found\n1992541 - all the alert rules\u0027 annotations \"summary\" and \"description\" should comply with the OpenShift alerting guidelines\n1992580 - storageProfile should stay with the same value by check/uncheck the apply button\n1992592 - list-type missing in oauth.config.openshift.io for identityProviders breaking Server Side Apply\n1992777 - [IBMCLOUD] Default \"ibm_iam_authorization_policy\" is not working as expected in all scenarios\n1993364 - cluster destruction fails to remove router in BYON with Kuryr as primary network (even after BZ 1940159 got fixed)\n1993376 - periodic-ci-openshift-release-master-ci-4.6-upgrade-from-stable-4.5-e2e-azure-upgrade is permfailing\n1994094 - Some hardcodes are detected at the code level in OpenShift console components\n1994142 - Missing required cloud config fields for IBM Cloud\n1994733 - MetalLB: IP address is not assigned to service if there is duplicate IP address in two address pools\n1995021 - resolv.conf and corefile sync slows down/stops after keepalived container restart\n1995335 - [SCALE] ovnkube CNI: remove ovs flows check\n1995493 - Add Secret to workload button and Actions button are not aligned on secret details page\n1995531 - Create RDO-based Ironic image to be promoted to OKD\n1995545 - Project drop-down amalgamates inside main screen while creating storage system for odf-operator\n1995887 - [OVN]After reboot egress node, lr-policy-list was not correct, some duplicate records or missed internal IPs\n1995924 - CMO should report `Upgradeable: false` when HA workload is incorrectly spread\n1996023 - kubernetes.io/hostname values are larger than filter when create localvolumeset from webconsole\n1996108 - Allow backwards compatibility of shared gateway mode to inject host-based routes into OVN\n1996624 - 100% of the cco-metrics/cco-metrics targets in openshift-cloud-credential-operator namespace are down\n1996630 - Fail to delete the first Authorized SSH Key input box on Advanced page\n1996647 - Provide more useful degraded message in auth operator on DNS errors\n1996736 - Large number of 501 lr-policies in INCI2 env\n1996886 - timedout waiting for flows during pod creation and ovn-controller pegged on worker nodes\n1996916 - Special Resource Operator(SRO) - Fail to deploy simple-kmod on GCP\n1996928 - Enable default operator indexes on ARM\n1997028 - prometheus-operator update removes env var support for thanos-sidecar\n1997059 - Failed to create cluster in AWS us-east-1 region due to a local zone is used\n1997226 - Ingresscontroller reconcilations failing but not shown in operator logs or status of ingresscontroller. \n1997245 - \"Subscription already exists in openshift-storage namespace\" error message is seen while installing odf-operator via UI\n1997269 - Have to refresh console to install kube-descheduler\n1997478 - Storage operator is not available after reboot cluster instances\n1997509 - flake: [sig-cli] oc builds new-build [Skipped:Disconnected] [Suite:openshift/conformance/parallel]\n1997967 - storageClass is not reserved from default wizard to customize wizard\n1998035 - openstack IPI CI: custom var-lib-etcd.mount (ramdisk) unit is racing due to incomplete After/Before order\n1998038 - [e2e][automation] add tests for UI for VM disk hot-plug\n1998087 - Fix CephHealthCheck wrapping contents and add data-tests for HealthItem and SecondaryStatus\n1998174 - Create storageclass gp3-csi after install ocp cluster on aws\n1998183 - \"r: Bad Gateway\" info is improper\n1998235 - Firefox warning: Cookie \u201ccsrf-token\u201d will be soon rejected\n1998377 - Filesystem table head is not full displayed in disk tab\n1998378 - Virtual Machine is \u0027Not available\u0027 in Home -\u003e Overview -\u003e Cluster inventory\n1998519 - Add fstype when create localvolumeset instance on web console\n1998951 - Keepalived conf ingress peer on in Dual stack cluster contains both IPv6 and IPv4 addresses\n1999076 - [UI] Page Not Found error when clicking on Storage link provided in Overview page\n1999079 - creating pods before sriovnetworknodepolicy sync up succeed will cause node unschedulable\n1999091 - Console update toast notification can appear multiple times\n1999133 - removing and recreating static pod manifest leaves pod in error state\n1999246 - .indexignore is not ingore when oc command load dc configuration\n1999250 - ArgoCD in GitOps operator can\u0027t manage namespaces\n1999255 - ovnkube-node always crashes out the first time it starts\n1999261 - ovnkube-node log spam (and security token leak?)\n1999309 - While installing odf-operator via UI, web console update pop-up navigates to OperatorHub -\u003e Operator Installation page\n1999314 - console-operator is slow to mark Degraded as False once console starts working\n1999425 - kube-apiserver with \"[SHOULD NOT HAPPEN] failed to update managedFields\" err=\"failed to convert new object (machine.openshift.io/v1beta1, Kind=MachineHealthCheck)\n1999556 - \"master\" pool should be updated before the CVO reports available at the new version occurred\n1999578 - AWS EFS CSI tests are constantly failing\n1999603 - Memory Manager allows Guaranteed QoS Pod with hugepages requested is exactly equal to the left over Hugepages\n1999619 - cloudinit is malformatted if a user sets a password during VM creation flow\n1999621 - Empty ssh_authorized_keys entry is added to VM\u0027s cloudinit if created from a customize flow\n1999649 - MetalLB: Only one type of IP address can be assigned to service on dual stack cluster from a address pool that have both IPv4 and IPv6 addresses defined\n1999668 - openshift-install destroy cluster panic\u0027s when given invalid credentials to cloud provider (Azure Stack Hub)\n1999734 - IBM Cloud CIS Instance CRN missing in infrastructure manifest/resource\n1999771 - revert \"force cert rotation every couple days for development\" in 4.10\n1999784 - CVE-2021-3749 nodejs-axios: Regular expression denial of service in trim function\n1999796 - Openshift Console `Helm` tab is not showing helm releases in a namespace when there is high number of deployments in the same namespace. \n1999836 - Admin web-console inconsistent status summary of sparse ClusterOperator conditions\n1999903 - Click \"This is a CD-ROM boot source\" ticking \"Use template size PVC\" on pvc upload form\n1999983 - No way to clear upload error from template boot source\n2000081 - [IPI baremetal] The metal3 pod failed to restart when switching from Disabled to Managed provisioning without specifying provisioningInterface parameter\n2000096 - Git URL is not re-validated on edit build-config form reload\n2000216 - Successfully imported ImageStreams are not resolved in DeploymentConfig\n2000236 - Confusing usage message from dynkeepalived CLI\n2000268 - Mark cluster unupgradable if vcenter, esxi versions or HW versions are unsupported\n2000430 - bump cluster-api-provider-ovirt version in installer\n2000450 - 4.10: Enable static PV multi-az test\n2000490 - All critical alerts shipped by CMO should have links to a runbook\n2000521 - Kube-apiserver CO degraded due to failed conditional check (ConfigObservationDegraded)\n2000573 - Incorrect StorageCluster CR created and ODF cluster getting installed with 2 Zone OCP cluster\n2000628 - ibm-flashsystem-storage-storagesystem got created without any warning even when the attempt was cancelled\n2000651 - ImageStreamTag alias results in wrong tag and invalid link in Web Console\n2000754 - IPerf2 tests should be lower\n2000846 - Structure logs in the entire codebase of Local Storage Operator\n2000872 - [tracker] container is not able to list on some directories within the nfs after upgrade to 4.7.24\n2000877 - OCP ignores STOPSIGNAL in Dockerfile and sends SIGTERM\n2000938 - CVO does not respect changes to a Deployment strategy\n2000963 - \u0027Inline-volume (default fs)] volumes should store data\u0027 tests are failing on OKD with updated selinux-policy\n2001008 - [MachineSets] CloneMode defaults to linkedClone, but I don\u0027t have snapshot and should be fullClone\n2001240 - Remove response headers for downloads of binaries from OpenShift WebConsole\n2001295 - Remove openshift:kubevirt-machine-controllers decleration from machine-api\n2001317 - OCP Platform Quota Check - Inaccurate MissingQuota error\n2001337 - Details Card in ODF Dashboard mentions OCS\n2001339 - fix text content hotplug\n2001413 - [e2e][automation] add/delete nic and disk to template\n2001441 - Test: oc adm must-gather runs successfully for audit logs - fail due to startup log\n2001442 - Empty termination.log file for the kube-apiserver has too permissive mode\n2001479 - IBM Cloud DNS unable to create/update records\n2001566 - Enable alerts for prometheus operator in UWM\n2001575 - Clicking on the perspective switcher shows a white page with loader\n2001577 - Quick search placeholder is not displayed properly when the search string is removed\n2001578 - [e2e][automation] add tests for vm dashboard tab\n2001605 - PVs remain in Released state for a long time after the claim is deleted\n2001617 - BucketClass Creation is restricted on 1st page but enabled using side navigation options\n2001620 - Cluster becomes degraded if it can\u0027t talk to Manila\n2001760 - While creating \u0027Backing Store\u0027, \u0027Bucket Class\u0027, \u0027Namespace Store\u0027 user is navigated to \u0027Installed Operators\u0027 page after clicking on ODF\n2001761 - Unable to apply cluster operator storage for SNO on GCP platform. \n2001765 - Some error message in the log of diskmaker-manager caused confusion\n2001784 - show loading page before final results instead of showing a transient message No log files exist\n2001804 - Reload feature on Environment section in Build Config form does not work properly\n2001810 - cluster admin unable to view BuildConfigs in all namespaces\n2001817 - Failed to load RoleBindings list that will lead to \u2018Role name\u2019 is not able to be selected on Create RoleBinding page as well\n2001823 - OCM controller must update operator status\n2001825 - [SNO]ingress/authentication clusteroperator degraded when enable ccm from start\n2001835 - Could not select image tag version when create app from dev console\n2001855 - Add capacity is disabled for ocs-storagecluster\n2001856 - Repeating event: MissingVersion no image found for operand pod\n2001959 - Side nav list borders don\u0027t extend to edges of container\n2002007 - Layout issue on \"Something went wrong\" page\n2002010 - ovn-kube may never attempt to retry a pod creation\n2002012 - Cannot change volume mode when cloning a VM from a template\n2002027 - Two instances of Dotnet helm chart show as one in topology\n2002075 - opm render does not automatically pulling in the image(s) used in the deployments\n2002121 - [OVN] upgrades failed for IPI OSP16 OVN IPSec cluster\n2002125 - Network policy details page heading should be updated to Network Policy details\n2002133 - [e2e][automation] add support/virtualization and improve deleteResource\n2002134 - [e2e][automation] add test to verify vm details tab\n2002215 - Multipath day1 not working on s390x\n2002238 - Image stream tag is not persisted when switching from yaml to form editor\n2002262 - [vSphere] Incorrect user agent in vCenter sessions list\n2002266 - SinkBinding create form doesn\u0027t allow to use subject name, instead of label selector\n2002276 - OLM fails to upgrade operators immediately\n2002300 - Altering the Schedule Profile configurations doesn\u0027t affect the placement of the pods\n2002354 - Missing DU configuration \"Done\" status reporting during ZTP flow\n2002362 - Dynamic Plugin - ConsoleRemotePlugin for webpack doesn\u0027t use commonjs\n2002368 - samples should not go degraded when image allowedRegistries blocks imagestream creation\n2002372 - Pod creation failed due to mismatched pod IP address in CNI and OVN\n2002397 - Resources search is inconsistent\n2002434 - CRI-O leaks some children PIDs\n2002443 - Getting undefined error on create local volume set page\n2002461 - DNS operator performs spurious updates in response to API\u0027s defaulting of service\u0027s internalTrafficPolicy\n2002504 - When the openshift-cluster-storage-operator is degraded because of \"VSphereProblemDetectorController_SyncError\", the insights operator is not sending the logs from all pods. \n2002559 - User preference for topology list view does not follow when a new namespace is created\n2002567 - Upstream SR-IOV worker doc has broken links\n2002588 - Change text to be sentence case to align with PF\n2002657 - ovn-kube egress IP monitoring is using a random port over the node network\n2002713 - CNO: OVN logs should have millisecond resolution\n2002748 - [ICNI2] \u0027ErrorAddingLogicalPort\u0027 failed to handle external GW check: timeout waiting for namespace event\n2002759 - Custom profile should not allow not including at least one required HTTP2 ciphersuite\n2002763 - Two storage systems getting created with external mode RHCS\n2002808 - KCM does not use web identity credentials\n2002834 - Cluster-version operator does not remove unrecognized volume mounts\n2002896 - Incorrect result return when user filter data by name on search page\n2002950 - Why spec.containers.command is not created with \"oc create deploymentconfig \u003cdc-name\u003e --image=\u003cimage\u003e -- \u003ccommand\u003e\"\n2003096 - [e2e][automation] check bootsource URL is displaying on review step\n2003113 - OpenShift Baremetal IPI installer uses first three defined nodes under hosts in install-config for master nodes instead of filtering the hosts with the master role\n2003120 - CI: Uncaught error with ResizeObserver on operand details page\n2003145 - Duplicate operand tab titles causes \"two children with the same key\" warning\n2003164 - OLM, fatal error: concurrent map writes\n2003178 - [FLAKE][knative] The UI doesn\u0027t show updated traffic distribution after accepting the form\n2003193 - Kubelet/crio leaks netns and veth ports in the host\n2003195 - OVN CNI should ensure host veths are removed\n2003204 - Jenkins all new container images (openshift4/ose-jenkins) not supporting \u0027-e JENKINS_PASSWORD=password\u0027 ENV which was working for old container images\n2003206 - Namespace stuck terminating: Failed to delete all resource types, 1 remaining: unexpected items still remain in namespace\n2003239 - \"[sig-builds][Feature:Builds][Slow] can use private repositories as build input\" tests fail outside of CI\n2003244 - Revert libovsdb client code\n2003251 - Patternfly components with list element has list item bullet when they should not. \n2003252 - \"[sig-builds][Feature:Builds][Slow] starting a build using CLI start-build test context override environment BUILD_LOGLEVEL in buildconfig\" tests do not work as expected outside of CI\n2003269 - Rejected pods should be filtered from admission regression\n2003357 - QE- Removing the epic tags for gherkin tags related to 4.9 Release\n2003426 - [e2e][automation] add test for vm details bootorder\n2003496 - [e2e][automation] add test for vm resources requirment settings\n2003641 - All metal ipi jobs are failing in 4.10\n2003651 - ODF4.9+LSO4.8 installation via UI, StorageCluster move to error state\n2003655 - [IPI ON-PREM] Keepalived chk_default_ingress track script failed even though default router pod runs on node\n2003683 - Samples operator is panicking in CI\n2003711 - [UI] Empty file ceph-external-cluster-details-exporter.py downloaded from external cluster \"Connection Details\" page\n2003715 - Error on creating local volume set after selection of the volume mode\n2003743 - Remove workaround keeping /boot RW for kdump support\n2003775 - etcd pod on CrashLoopBackOff after master replacement procedure\n2003788 - CSR reconciler report error constantly when BYOH CSR approved by other Approver\n2003792 - Monitoring metrics query graph flyover panel is useless\n2003808 - Add Sprint 207 translations\n2003845 - Project admin cannot access image vulnerabilities view\n2003859 - sdn emits events with garbage messages\n2003896 - (release-4.10) ApiRequestCounts conditional gatherer\n2004009 - 4.10: Fix multi-az zone scheduling e2e for 5 control plane replicas\n2004051 - CMO can report as being Degraded while node-exporter is deployed on all nodes\n2004059 - [e2e][automation] fix current tests for downstream\n2004060 - Trying to use basic spring boot sample causes crash on Firefox\n2004101 - [UI] When creating storageSystem deployment type dropdown under advanced setting doesn\u0027t close after selection\n2004127 - [flake] openshift-controller-manager event reason/SuccessfulDelete occurs too frequently\n2004203 - build config\u0027s created prior to 4.8 with image change triggers can result in trigger storm in OCM/openshift-apiserver\n2004313 - [RHOCP 4.9.0-rc.0] Failing to deploy Azure cluster from the macOS installer - ignition_bootstrap.ign: no such file or directory\n2004449 - Boot option recovery menu prevents image boot\n2004451 - The backup filename displayed in the RecentBackup message is incorrect\n2004459 - QE - Modified the AddFlow gherkin scripts and automation scripts\n2004508 - TuneD issues with the recent ConfigParser changes. \n2004510 - openshift-gitops operator hooks gets unauthorized (401) errors during jobs executions\n2004542 - [osp][octavia lb] cannot create LoadBalancer type svcs\n2004578 - Monitoring and node labels missing for an external storage platform\n2004585 - prometheus-k8s-0 cpu usage keeps increasing for the first 3 days\n2004596 - [4.10] Bootimage bump tracker\n2004597 - Duplicate ramdisk log containers running\n2004600 - Duplicate ramdisk log containers running\n2004609 - output of \"crictl inspectp\" is not complete\n2004625 - BMC credentials could be logged if they change\n2004632 - When LE takes a large amount of time, multiple whereabouts are seen\n2004721 - ptp/worker custom threshold doesn\u0027t change ptp events threshold\n2004736 - [knative] Create button on new Broker form is inactive despite form being filled\n2004796 - [e2e][automation] add test for vm scheduling policy\n2004814 - (release-4.10) OCM controller - change type of the etc-pki-entitlement secret to opaque\n2004870 - [External Mode] Insufficient spacing along y-axis in RGW Latency Performance Card\n2004901 - [e2e][automation] improve kubevirt devconsole tests\n2004962 - Console frontend job consuming too much CPU in CI\n2005014 - state of ODF StorageSystem is misreported during installation or uninstallation\n2005052 - Adding a MachineSet selector matchLabel causes orphaned Machines\n2005179 - pods status filter is not taking effect\n2005182 - sync list of deprecated apis about to be removed\n2005282 - Storage cluster name is given as title in StorageSystem details page\n2005355 - setuptools 58 makes Kuryr CI fail\n2005407 - ClusterNotUpgradeable Alert should be set to Severity Info\n2005415 - PTP operator with sidecar api configured throws bind: address already in use\n2005507 - SNO spoke cluster failing to reach coreos.live.rootfs_url is missing url in console\n2005554 - The switch status of the button \"Show default project\" is not revealed correctly in code\n2005581 - 4.8.12 to 4.9 upgrade hung due to cluster-version-operator pod CrashLoopBackOff: error creating clients: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable\n2005761 - QE - Implementing crw-basic feature file\n2005783 - Fix accessibility issues in the \"Internal\" and \"Internal - Attached Mode\" Installation Flow\n2005811 - vSphere Problem Detector operator - ServerFaultCode: InvalidProperty\n2005854 - SSH NodePort service is created for each VM\n2005901 - KS, KCM and KA going Degraded during master nodes upgrade\n2005902 - Current UI flow for MCG only deployment is confusing and doesn\u0027t reciprocate any message to the end-user\n2005926 - PTP operator NodeOutOfPTPSync rule is using max offset from the master instead of openshift_ptp_clock_state metrics\n2005971 - Change telemeter to report the Application Services product usage metrics\n2005997 - SELinux domain container_logreader_t does not have a policy to follow sym links for log files\n2006025 - Description to use an existing StorageClass while creating StorageSystem needs to be re-phrased\n2006060 - ocs-storagecluster-storagesystem details are missing on UI for MCG Only and MCG only in LSO mode deployment types\n2006101 - Power off fails for drivers that don\u0027t support Soft power off\n2006243 - Metal IPI upgrade jobs are running out of disk space\n2006291 - bootstrapProvisioningIP set incorrectly when provisioningNetworkCIDR doesn\u0027t use the 0th address\n2006308 - Backing Store YAML tab on click displays a blank screen on UI\n2006325 - Multicast is broken across nodes\n2006329 - Console only allows Web Terminal Operator to be installed in OpenShift Operators\n2006364 - IBM Cloud: Set resourceGroupId for resourceGroups, not simply resource\n2006561 - [sig-instrumentation] Prometheus when installed on the cluster shouldn\u0027t have failing rules evaluation [Skipped:Disconnected] [Suite:openshift/conformance/parallel]\n2006690 - OS boot failure \"x64 Exception Type 06 - Invalid Opcode Exception\"\n2006714 - add retry for etcd errors in kube-apiserver\n2006767 - KubePodCrashLooping may not fire\n2006803 - Set CoreDNS cache entries for forwarded zones\n2006861 - Add Sprint 207 part 2 translations\n2006945 - race condition can cause crashlooping bootstrap kube-apiserver in cluster-bootstrap\n2006947 - e2e-aws-proxy for 4.10 is permafailing with samples operator errors\n2006975 - clusteroperator/etcd status condition should not change reasons frequently due to EtcdEndpointsDegraded\n2007085 - Intermittent failure mounting /run/media/iso when booting live ISO from USB stick\n2007136 - Creation of BackingStore, BucketClass, NamespaceStore fails\n2007271 - CI Integration for Knative test cases\n2007289 - kubevirt tests are failing in CI\n2007322 - Devfile/Dockerfile import does not work for unsupported git host\n2007328 - Updated patternfly to v4.125.3 and pf.quickstarts to v1.2.3. \n2007379 - Events are not generated for master offset for ordinary clock\n2007443 - [ICNI 2.0] Loadbalancer pods do not establish BFD sessions with all workers that host pods for the routed namespace\n2007455 - cluster-etcd-operator: render command should fail if machineCidr contains reserved address\n2007495 - Large label value for the metric kubelet_started_pods_errors_total with label message when there is a error\n2007522 - No new local-storage-operator-metadata-container is build for 4.10\n2007551 - No new ose-aws-efs-csi-driver-operator-bundle-container is build for 4.10\n2007580 - Azure cilium installs are failing e2e tests\n2007581 - Too many haproxy processes in default-router pod causing high load average after upgrade from v4.8.3 to v4.8.10\n2007677 - Regression: core container io performance metrics are missing for pod, qos, and system slices on nodes\n2007692 - 4.9 \"old-rhcos\" jobs are permafailing with storage test failures\n2007710 - ci/prow/e2e-agnostic-cmd job is failing on prow\n2007757 - must-gather extracts imagestreams in the \"openshift\" namespace, but not Templates\n2007802 - AWS machine actuator get stuck if machine is completely missing\n2008096 - TestAWSFinalizerDeleteS3Bucket sometimes fails to teardown operator\n2008119 - The serviceAccountIssuer field on Authentication CR is reseted to \u201c\u201d when installation process\n2008151 - Topology breaks on clicking in empty state\n2008185 - Console operator go.mod should use go 1.16.version\n2008201 - openstack-az job is failing on haproxy idle test\n2008207 - vsphere CSI driver doesn\u0027t set resource limits\n2008223 - gather_audit_logs: fix oc command line to get the current audit profile\n2008235 - The Save button in the Edit DC form remains disabled\n2008256 - Update Internationalization README with scope info\n2008321 - Add correct documentation link for MON_DISK_LOW\n2008462 - Disable PodSecurity feature gate for 4.10\n2008490 - Backing store details page does not contain all the kebab actions. \n2008521 - gcp-hostname service should correct invalid search entries in resolv.conf\n2008532 - CreateContainerConfigError:: failed to prepare subPath for volumeMount\n2008539 - Registry doesn\u0027t fall back to secondary ImageContentSourcePolicy Mirror\n2008540 - HighlyAvailableWorkloadIncorrectlySpread always fires on upgrade on cluster with two workers\n2008599 - Azure Stack UPI does not have Internal Load Balancer\n2008612 - Plugin asset proxy does not pass through browser cache headers\n2008712 - VPA webhook timeout prevents all pods from starting\n2008733 - kube-scheduler: exposed /debug/pprof port\n2008911 - Prometheus repeatedly scaling prometheus-operator replica set\n2008926 - [sig-api-machinery] API data in etcd should be stored at the correct location and version for all resources [Serial] [Suite:openshift/conformance/serial]\n2008987 - OpenShift SDN Hosted Egress IP\u0027s are not being scheduled to nodes after upgrade to 4.8.12\n2009055 - Instances of OCS to be replaced with ODF on UI\n2009078 - NetworkPodsCrashLooping alerts in upgrade CI jobs\n2009083 - opm blocks pruning of existing bundles during add\n2009111 - [IPI-on-GCP] \u0027Install a cluster with nested virtualization enabled\u0027 failed due to unable to launch compute instances\n2009131 - [e2e][automation] add more test about vmi\n2009148 - [e2e][automation] test vm nic presets and options\n2009233 - ACM policy object generated by PolicyGen conflicting with OLM Operator\n2009253 - [BM] [IPI] [DualStack] apiVIP and ingressVIP should be of the same primary IP family\n2009298 - Service created for VM SSH access is not owned by the VM and thus is not deleted if the VM is deleted\n2009384 - UI changes to support BindableKinds CRD changes\n2009404 - ovnkube-node pod enters CrashLoopBackOff after OVN_IMAGE is swapped\n2009424 - Deployment upgrade is failing availability check\n2009454 - Change web terminal subscription permissions from get to list\n2009465 - container-selinux should come from rhel8-appstream\n2009514 - Bump OVS to 2.16-15\n2009555 - Supermicro X11 system not booting from vMedia with AI\n2009623 - Console: Observe \u003e Metrics page: Table pagination menu shows bullet points\n2009664 - Git Import: Edit of knative service doesn\u0027t work as expected for git import flow\n2009699 - Failure to validate flavor RAM\n2009754 - Footer is not sticky anymore in import forms\n2009785 - CRI-O\u0027s version file should be pinned by MCO\n2009791 - Installer: ibmcloud ignores install-config values\n2009823 - [sig-arch] events should not repeat pathologically - reason/VSphereOlderVersionDetected Marking cluster un-upgradeable because one or more VMs are on hardware version vmx-13\n2009840 - cannot build extensions on aarch64 because of unavailability of rhel-8-advanced-virt repo\n2009859 - Large number of sessions created by vmware-vsphere-csi-driver-operator during e2e tests\n2009873 - Stale Logical Router Policies and Annotations for a given node\n2009879 - There should be test-suite coverage to ensure admin-acks work as expected\n2009888 - SRO package name collision between official and community version\n2010073 - uninstalling and then reinstalling sriov-network-operator is not working\n2010174 - 2 PVs get created unexpectedly with different paths that actually refer to the same device on the node. \n2010181 - Environment variables not getting reset on reload on deployment edit form\n2010310 - [sig-instrumentation][Late] OpenShift alerting rules should have description and summary annotations [Skipped:Disconnected] [Suite:openshift/conformance/parallel]\n2010341 - OpenShift Alerting Rules Style-Guide Compliance\n2010342 - Local console builds can have out of memory errors\n2010345 - OpenShift Alerting Rules Style-Guide Compliance\n2010348 - Reverts PIE build mode for K8S components\n2010352 - OpenShift Alerting Rules Style-Guide Compliance\n2010354 - OpenShift Alerting Rules Style-Guide Compliance\n2010359 - OpenShift Alerting Rules Style-Guide Compliance\n2010368 - OpenShift Alerting Rules Style-Guide Compliance\n2010376 - OpenShift Alerting Rules Style-Guide Compliance\n2010662 - Cluster is unhealthy after image-registry-operator tests\n2010663 - OpenShift Alerting Rules Style-Guide Compliance (ovn-kubernetes subcomponent)\n2010665 - Bootkube tries to use oc after cluster bootstrap is done and there is no API\n2010698 - [BM] [IPI] [Dual Stack] Installer must ensure ipv6 short forms too if clusterprovisioning IP is specified as ipv6 address\n2010719 - etcdHighNumberOfFailedGRPCRequests runbook is missing\n2010864 - Failure building EFS operator\n2010910 - ptp worker events unable to identify interface for multiple interfaces\n2010911 - RenderOperatingSystem() returns wrong OS version on OCP 4.7.24\n2010921 - Azure Stack Hub does not handle additionalTrustBundle\n2010931 - SRO CSV uses non default category \"Drivers and plugins\"\n2010946 - concurrent CRD from ovirt-csi-driver-operator gets reconciled by CVO after deployment, changing CR as well. \n2011038 - optional operator conditions are confusing\n2011063 - CVE-2021-39226 grafana: Snapshot authentication bypass\n2011171 - diskmaker-manager constantly redeployed by LSO when creating LV\u0027s\n2011293 - Build pod are not pulling images if we are not explicitly giving the registry name with the image\n2011368 - Tooltip in pipeline visualization shows misleading data\n2011386 - [sig-arch] Check if alerts are firing during or after upgrade success --- alert KubePodNotReady fired for 60 seconds with labels\n2011411 - Managed Service\u0027s Cluster overview page contains link to missing Storage dashboards\n2011443 - Cypress tests assuming Admin Perspective could fail on shared/reference cluster\n2011513 - Kubelet rejects pods that use resources that should be freed by completed pods\n2011668 - Machine stuck in deleting phase in VMware \"reconciler failed to Delete machine\"\n2011693 - (release-4.10) \"insightsclient_request_recvreport_total\" metric is always incremented\n2011698 - After upgrading cluster to 4.8 the kube-state-metrics service doesn\u0027t export namespace labels anymore\n2011733 - Repository README points to broken documentarion link\n2011753 - Ironic resumes clean before raid configuration job is actually completed\n2011809 - The nodes page in the openshift console doesn\u0027t work. You just get a blank page\n2011822 - Obfuscation doesn\u0027t work at clusters with OVN\n2011882 - SRO helm charts not synced with templates\n2011893 - Validation: BMC driver ipmi is not supported for secure UEFI boot\n2011896 - [4.10] ClusterVersion Upgradeable=False MultipleReasons should include all messages\n2011903 - vsphere-problem-detector: session leak\n2011927 - OLM should allow users to specify a proxy for GRPC connections\n2011956 - [tracker] Kubelet rejects pods that use resources that should be freed by completed pods\n2011960 - [tracker] Storage operator is not available after reboot cluster instances\n2011971 - ICNI2 pods are stuck in ContainerCreating state\n2011972 - Ingress operator not creating wildcard route for hypershift clusters\n2011977 - SRO bundle references non-existent image\n2012069 - Refactoring Status controller\n2012177 - [OCP 4.9 + OCS 4.8.3] Overview tab is missing under Storage after successful deployment on UI\n2012228 - ibmcloud: credentialsrequests invalid for machine-api-operator: resource-group\n2012233 - [IBMCLOUD] IPI: \"Exceeded limit of remote rules per security group (the limit is 5 remote rules per security group)\"\n2012235 - [IBMCLOUD] IPI: IBM cloud provider requires ResourceGroupName in cloudproviderconfig\n2012317 - Dynamic Plugins: ListPageCreateDropdown items cut off\n2012407 - [e2e][automation] improve vm tab console tests\n2012426 - ThanosSidecarBucketOperationsFailed/ThanosSidecarUnhealthy alerts don\u0027t have namespace label\n2012562 - migration condition is not detected in list view\n2012770 - when using expression metric openshift_apps_deploymentconfigs_last_failed_rollout_time namespace label is re-written\n2012780 - The port 50936 used by haproxy is occupied by kube-apiserver\n2012838 - Setting the default maximum container root partition size for Overlay with CRI-O stop working\n2012902 - Neutron Ports assigned to Completed Pods are not reused Edit\n2012915 - kube_persistentvolumeclaim_labels and kube_persistentvolume_labels are missing in OCP 4.8 monitoring stack\n2012971 - Disable operands deletes\n2013034 - Cannot install to openshift-nmstate namespace\n2013127 - OperatorHub links could not be opened in a new tabs (sharing and open a deep link works fine)\n2013199 - post reboot of node SRIOV policy taking huge time\n2013203 - UI breaks when trying to create block pool before storage cluster/system creation\n2013222 - Full breakage for nightly payload promotion\n2013273 - Nil pointer exception when phc2sys options are missing\n2013321 - TuneD: high CPU utilization of the TuneD daemon. \n2013416 - Multiple assets emit different content to the same filename\n2013431 - Application selector dropdown has incorrect font-size and positioning\n2013528 - mapi_current_pending_csr is always set to 1 on OpenShift Container Platform 4.8\n2013545 - Service binding created outside topology is not visible\n2013599 - Scorecard support storage is not included in ocp4.9\n2013632 - Correction/Changes in Quick Start Guides for ODF 4.9 (Install ODF guide)\n2013646 - fsync controller will show false positive if gaps in metrics are observed. \n2013710 - ZTP Operator subscriptions for 4.9 release branch should point to 4.9 by default\n2013751 - Service details page is showing wrong in-cluster hostname\n2013787 - There are two tittle \u0027Network Attachment Definition Details\u0027 on NAD details page\n2013871 - Resource table headings are not aligned with their column data\n2013895 - Cannot enable accelerated network via MachineSets on Azure\n2013920 - \"--collector.filesystem.ignored-mount-points is DEPRECATED and will be removed in 2.0.0, use --collector.filesystem.mount-points-exclude\"\n2013930 - Create Buttons enabled for Bucket Class, Backingstore and Namespace Store in the absence of Storagesystem(or MCG)\n2013969 - oVIrt CSI driver fails on creating PVCs on hosted engine storage domain\n2013990 - Observe dashboard crashs on reload when perspective has changed (in another tab)\n2013996 - Project detail page: Action \"Delete Project\" does nothing for the default project\n2014071 - Payload imagestream new tags not properly updated during cluster upgrade\n2014153 - SRIOV exclusive pooling\n2014202 - [OCP-4.8.10] OVN-Kubernetes: service IP is not responding when egressIP set to the namespace\n2014238 - AWS console test is failing on importing duplicate YAML definitions\n2014245 - Several aria-labels, external links, and labels aren\u0027t internationalized\n2014248 - Several files aren\u0027t internationalized\n2014352 - Could not filter out machine by using node name on machines page\n2014464 - Unexpected spacing/padding below navigation groups in developer perspective\n2014471 - Helm Release notes tab is not automatically open after installing a chart for other languages\n2014486 - Integration Tests: OLM single namespace operator tests failing\n2014488 - Custom operator cannot change orders of condition tables\n2014497 - Regex slows down different forms and creates too much recursion errors in the log\n2014538 - Kuryr controller crash looping on self._get_vip_port(loadbalancer).id \u0027NoneType\u0027 object has no attribute \u0027id\u0027\n2014614 - Metrics scraping requests should be assigned to exempt priority level\n2014710 - TestIngressStatus test is broken on Azure\n2014954 - The prometheus-k8s-{0,1} pods are CrashLoopBackoff repeatedly\n2014995 - oc adm must-gather cannot gather audit logs with \u0027None\u0027 audit profile\n2015115 - [RFE] PCI passthrough\n2015133 - [IBMCLOUD] ServiceID API key credentials seems to be insufficient for ccoctl \u0027--resource-group-name\u0027 parameter\n2015154 - Support ports defined networks and primarySubnet\n2015274 - Yarn dev fails after updates to dynamic plugin JSON schema logic\n2015337 - 4.9.0 GA MetalLB operator image references need to be adjusted to match production\n2015386 - Possibility to add labels to the built-in OCP alerts\n2015395 - Table head on Affinity Rules modal is not fully expanded\n2015416 - CI implementation for Topology plugin\n2015418 - Project Filesystem query returns No datapoints found\n2015420 - No vm resource in project view\u0027s inventory\n2015422 - No conflict checking on snapshot name\n2015472 - Form and YAML view switch button should have distinguishable status\n2015481 - [4.10] sriov-network-operator daemon pods are failing to start\n2015493 - Cloud Controller Manager Operator does not respect \u0027additionalTrustBundle\u0027 setting\n2015496 - Storage - PersistentVolumes : Claim colum value \u0027No Claim\u0027 in English\n2015498 - [UI] Add capacity when not applicable (for MCG only deployment and External mode cluster) fails to pass any info. to user and tries to just load a blank screen on \u0027Add Capacity\u0027 button click\n2015506 - Home - Search - Resources - APIRequestCount : hard to select an item from ellipsis menu\n2015515 - Kubelet checks all providers even if one is configured: NoCredentialProviders: no valid providers in chain. \n2015535 - Administration - ResourceQuotas - ResourceQuota details: Inside Pie chart \u0027x% used\u0027 is in English\n2015549 - Observe - Metrics: Column heading and pagination text is in English\n2015557 - Workloads - DeploymentConfigs : Error message is in English\n2015568 - Compute - Nodes : CPU column\u0027s values are in English\n2015635 - Storage operator fails causing installation to fail on ASH\n2015660 - \"Finishing boot source customization\" screen should not use term \"patched\"\n2015793 - [hypershift] The collect-profiles job\u0027s pods should run on the control-plane node\n2015806 - Metrics view in Deployment reports \"Forbidden\" when not cluster-admin\n2015819 - Conmon sandbox processes run on non-reserved CPUs with workload partitioning\n2015837 - OS_CLOUD overwrites install-config\u0027s platform.openstack.cloud\n2015950 - update from 4.7.22 to 4.8.11 is failing due to large amount of secrets to watch\n2015952 - RH CodeReady Workspaces Operator in e2e testing will soon fail\n2016004 - [RFE] RHCOS: help determining whether a user-provided image was already booted (Ignition provisioning already performed)\n2016008 - [4.10] Bootimage bump tracker\n2016052 - No e2e CI presubmit configured for release component azure-file-csi-driver\n2016053 - No e2e CI presubmit configured for release component azure-file-csi-driver-operator\n2016054 - No e2e CI presubmit configured for release component cluster-autoscaler\n2016055 - No e2e CI presubmit configured for release component console\n2016058 - openshift-sync does not synchronise in \"ose-jenkins:v4.8\"\n2016064 - No e2e CI presubmit configured for release component ibm-cloud-controller-manager\n2016065 - No e2e CI presubmit configured for release component ibmcloud-machine-controllers\n2016175 - Pods get stuck in ContainerCreating state when attaching volumes fails on SNO clusters. \n2016179 - Add Sprint 208 translations\n2016228 - Collect Profiles pprof secret is hardcoded to openshift-operator-lifecycle-manager\n2016235 - should update to 7.5.11 for grafana resources version label\n2016296 - Openshift virtualization : Create Windows Server 2019 VM using template : Fails\n2016334 - shiftstack: SRIOV nic reported as not supported\n2016352 - Some pods start before CA resources are present\n2016367 - Empty task box is getting created for a pipeline without finally task\n2016435 - Duplicate AlertmanagerClusterFailedToSendAlerts alerts\n2016438 - Feature flag gating is missing in few extensions contributed via knative plugin\n2016442 - OCPonRHV: pvc should be in Bound state and without error when choosing default sc\n2016446 - [OVN-Kubernetes] Egress Networkpolicy is failing Intermittently for statefulsets\n2016453 - Complete i18n for GaugeChart defaults\n2016479 - iface-id-ver is not getting updated for existing lsp\n2016925 - Dashboards with All filter, change to a specific value and change back to All, data will disappear\n2016951 - dynamic actions list is not disabling \"open console\" for stopped vms\n2016955 - m5.large instance type for bootstrap node is hardcoded causing deployments to fail if instance type is not available\n2016988 - NTO does not set io_timeout and max_retries for AWS Nitro instances\n2017016 - [REF] Virtualization menu\n2017036 - [sig-network-edge][Feature:Idling] Unidling should handle many TCP connections fails in periodic-ci-openshift-release-master-ci-4.9-e2e-openstack-ovn\n2017050 - Dynamic Plugins: Shared modules loaded multiple times, breaking use of PatternFly\n2017130 - t is not a function error navigating to details page\n2017141 - Project dropdown has a dynamic inline width added which can cause min-width issue\n2017244 - ovirt csi operator static files creation is in the wrong order\n2017276 - [4.10] Volume mounts not created with the correct security context\n2017327 - When run opm index prune failed with error removing operator package cic-operator FOREIGN KEY constraint failed. \n2017427 - NTO does not restart TuneD daemon when profile application is taking too long\n2017535 - Broken Argo CD link image on GitOps Details Page\n2017547 - Siteconfig application sync fails with The AgentClusterInstall is invalid: spec.provisionRequirements.controlPlaneAgents: Required value when updating images references\n2017564 - On-prem prepender dispatcher script overwrites DNS search settings\n2017565 - CCMO does not handle additionalTrustBundle on Azure Stack\n2017566 - MetalLB: Web Console -Create Address pool form shows address pool name twice\n2017606 - [e2e][automation] add test to verify send key for VNC console\n2017650 - [OVN]EgressFirewall cannot be applied correctly if cluster has windows nodes\n2017656 - VM IP address is \"undefined\" under VM details -\u003e ssh field\n2017663 - SSH password authentication is disabled when public key is not supplied\n2017680 - [gcp] Couldn\u2019t enable support for instances with GPUs on GCP\n2017732 - [KMS] Prevent creation of encryption enabled storageclass without KMS connection set\n2017752 - (release-4.10) obfuscate identity provider attributes in collected authentication.operator.openshift.io resource\n2017756 - overlaySize setting on containerruntimeconfig is ignored due to cri-o defaults\n2017761 - [e2e][automation] dummy bug for 4.9 test dependency\n2017872 - Add Sprint 209 translations\n2017874 - The installer is incorrectly checking the quota for X instances instead of G and VT instances\n2017879 - Add Chinese translation for \"alternate\"\n2017882 - multus: add handling of pod UIDs passed from runtime\n2017909 - [ICNI 2.0] ovnkube-masters stop processing add/del events for pods\n2018042 - HorizontalPodAutoscaler CPU averageValue did not show up in HPA metrics GUI\n2018093 - Managed cluster should ensure control plane pods do not run in best-effort QoS\n2018094 - the tooltip length is limited\n2018152 - CNI pod is not restarted when It cannot start servers due to ports being used\n2018208 - e2e-metal-ipi-ovn-ipv6 are failing 75% of the time\n2018234 - user settings are saved in local storage instead of on cluster\n2018264 - Delete Export button doesn\u0027t work in topology sidebar (general issue with unknown CSV?)\n2018272 - Deployment managed by link and topology sidebar links to invalid resource page (at least for Exports)\n2018275 - Topology graph doesn\u0027t show context menu for Export CSV\n2018279 - Edit and Delete confirmation modals for managed resource should close when the managed resource is clicked\n2018380 - Migrate docs links to access.redhat.com\n2018413 - Error: context deadline exceeded, OCP 4.8.9\n2018428 - PVC is deleted along with VM even with \"Delete Disks\" unchecked\n2018445 - [e2e][automation] enhance tests for downstream\n2018446 - [e2e][automation] move tests to different level\n2018449 - [e2e][automation] add test about create/delete network attachment definition\n2018490 - [4.10] Image provisioning fails with file name too long\n2018495 - Fix typo in internationalization README\n2018542 - Kernel upgrade does not reconcile DaemonSet\n2018880 - Get \u0027No datapoints found.\u0027 when query metrics about alert rule KubeCPUQuotaOvercommit and KubeMemoryQuotaOvercommit\n2018884 - QE - Adapt crw-basic feature file to OCP 4.9/4.10 changes\n2018935 - go.sum not updated, that ART extracts version string from, WAS: Missing backport from 4.9 for Kube bump PR#950\n2018965 - e2e-metal-ipi-upgrade is permafailing in 4.10\n2018985 - The rootdisk size is 15Gi of windows VM in customize wizard\n2019001 - AWS: Operator degraded (CredentialsFailing): 1 of 6 credentials requests are failing to sync. \n2019096 - Update SRO leader election timeout to support SNO\n2019129 - SRO in operator hub points to wrong repo for README\n2019181 - Performance profile does not apply\n2019198 - ptp offset metrics are not named according to the log output\n2019219 - [IBMCLOUD]: cloud-provider-ibm missing IAM permissions in CCCMO CredentialRequest\n2019284 - Stop action should not in the action list while VMI is not running\n2019346 - zombie processes accumulation and Argument list too long\n2019360 - [RFE] Virtualization Overview page\n2019452 - Logger object in LSO appends to existing logger recursively\n2019591 - Operator install modal body that scrolls has incorrect padding causing shadow position to be incorrect\n2019634 - Pause and migration is enabled in action list for a user who has view only permission\n2019636 - Actions in VM tabs should be disabled when user has view only permission\n2019639 - \"Take snapshot\" should be disabled while VM image is still been importing\n2019645 - Create button is not removed on \"Virtual Machines\" page for view only user\n2019646 - Permission error should pop-up immediately while clicking \"Create VM\" button on template page for view only user\n2019647 - \"Remove favorite\" and \"Create new Template\" should be disabled in template action list for view only user\n2019717 - cant delete VM with un-owned pvc attached\n2019722 - The shared-resource-csi-driver-node pod runs as \u201cBestEffort\u201d qosClass\n2019739 - The shared-resource-csi-driver-node uses imagePullPolicy as \"Always\"\n2019744 - [RFE] Suggest users to download newest RHEL 8 version\n2019809 - [OVN][Upgrade] After upgrade to 4.7.34 ovnkube-master pods are in CrashLoopBackOff/ContainerCreating and other multiple issues at OVS/OVN level\n2019827 - Display issue with top-level menu items running demo plugin\n2019832 - 4.10 Nightlies blocked: Failed to upgrade authentication, operator was degraded\n2019886 - Kuryr unable to finish ports recovery upon controller restart\n2019948 - [RFE] Restructring Virtualization links\n2019972 - The Nodes section doesn\u0027t display the csr of the nodes that are trying to join the cluster\n2019977 - Installer doesn\u0027t validate region causing binary to hang with a 60 minute timeout\n2019986 - Dynamic demo plugin fails to build\n2019992 - instance:node_memory_utilisation:ratio metric is incorrect\n2020001 - Update dockerfile for demo dynamic plugin to reflect dir change\n2020003 - MCD does not regard \"dangling\" symlinks as a files, attempts to write through them on next backup, resulting in \"not writing through dangling symlink\" error and degradation. \n2020107 - cluster-version-operator: remove runlevel from CVO namespace\n2020153 - Creation of Windows high performance VM fails\n2020216 - installer: Azure storage container blob where is stored bootstrap.ign file shouldn\u0027t be public\n2020250 - Replacing deprecated ioutil\n2020257 - Dynamic plugin with multiple webpack compilation passes may fail to build\n2020275 - ClusterOperators link in console returns blank page during upgrades\n2020377 - permissions error while using tcpdump option with must-gather\n2020489 - coredns_dns metrics don\u0027t include the custom zone metrics data due to CoreDNS prometheus plugin is not defined\n2020498 - \"Show PromQL\" button is disabled\n2020625 - [AUTH-52] User fails to login from web console with keycloak OpenID IDP after enable group membership sync feature\n2020638 - [4.7] CI conformance test failures related to CustomResourcePublishOpenAPI\n2020664 - DOWN subports are not cleaned up\n2020904 - When trying to create a connection from the Developer view between VMs, it fails\n2021016 - \u0027Prometheus Stats\u0027 of dashboard \u0027Prometheus Overview\u0027 miss data on console compared with Grafana\n2021017 - 404 page not found error on knative eventing page\n2021031 - QE - Fix the topology CI scripts\n2021048 - [RFE] Added MAC Spoof check\n2021053 - Metallb operator presented as community operator\n2021067 - Extensive number of requests from storage version operator in cluster\n2021081 - Missing PolicyGenTemplate for configuring Local Storage Operator LocalVolumes\n2021135 - [azure-file-csi-driver] \"make unit-test\" returns non-zero code, but tests pass\n2021141 - Cluster should allow a fast rollout of kube-apiserver is failing on single node\n2021151 - Sometimes the DU node does not get the performance profile configuration applied and MachineConfigPool stays stuck in Updating\n2021152 - imagePullPolicy is \"Always\" for ptp operator images\n2021191 - Project admins should be able to list available network attachment defintions\n2021205 - Invalid URL in git import form causes validation to not happen on URL change\n2021322 - cluster-api-provider-azure should populate purchase plan information\n2021337 - Dynamic Plugins: ResourceLink doesn\u0027t render when passed a groupVersionKind\n2021364 - Installer requires invalid AWS permission s3:GetBucketReplication\n2021400 - Bump documentationBaseURL to 4.10\n2021405 - [e2e][automation] VM creation wizard Cloud Init editor\n2021433 - \"[sig-builds][Feature:Builds][pullsearch] docker build where the registry is not specified\" test fail permanently on disconnected\n2021466 - [e2e][automation] Windows guest tool mount\n2021544 - OCP 4.6.44 - Ingress VIP assigned as secondary IP in ovs-if-br-ex and added to resolv.conf as nameserver\n2021551 - Build is not recognizing the USER group from an s2i image\n2021607 - Unable to run openshift-install with a vcenter hostname that begins with a numeric character\n2021629 - api request counts for current hour are incorrect\n2021632 - [UI] Clicking on odf-operator breadcrumb from StorageCluster details page displays empty page\n2021693 - Modals assigned modal-lg class are no longer the correct width\n2021724 - Observe \u003e Dashboards: Graph lines are not visible when obscured by other lines\n2021731 - CCO occasionally down, reporting networksecurity.googleapis.com API as disabled\n2021936 - Kubelet version in RPMs should be using Dockerfile label instead of git tags\n2022050 - [BM][IPI] Failed during bootstrap - unable to read client-key /var/lib/kubelet/pki/kubelet-client-current.pem\n2022053 - dpdk application with vhost-net is not able to start\n2022114 - Console logging every proxy request\n2022144 - 1 of 3 ovnkube-master pods stuck in clbo after ipi bm deployment - dualstack (Intermittent)\n2022251 - wait interval in case of a failed upload due to 403 is unnecessarily long\n2022399 - MON_DISK_LOW troubleshooting guide link when clicked, gives 404 error . \n2022447 - ServiceAccount in manifests conflicts with OLM\n2022502 - Patternfly tables with a checkbox column are not displaying correctly because of conflicting css rules. \n2022509 - getOverrideForManifest does not check manifest.GVK.Group\n2022536 - WebScale: duplicate ecmp next hop error caused by multiple of the same gateway IPs in ovnkube cache\n2022612 - no namespace field for \"Kubernetes / Compute Resources / Namespace (Pods)\" admin console dashboard\n2022627 - Machine object not picking up external FIP added to an openstack vm\n2022646 - configure-ovs.sh failure - Error: unknown connection \u0027WARN:\u0027\n2022707 - Observe / monitoring dashboard shows forbidden errors on Dev Sandbox\n2022801 - Add Sprint 210 translations\n2022811 - Fix kubelet log rotation file handle leak\n2022812 - [SCALE] ovn-kube service controller executes unnecessary load balancer operations\n2022824 - Large number of sessions created by vmware-vsphere-csi-driver-operator during e2e tests\n2022880 - Pipeline renders with minor visual artifact with certain task dependencies\n2022886 - Incorrect URL in operator description\n2023042 - CRI-O filters custom runtime allowed annotation when both custom workload and custom runtime sections specified under the config\n2023060 - [e2e][automation] Windows VM with CDROM migration\n2023077 - [e2e][automation] Home Overview Virtualization status\n2023090 - [e2e][automation] Examples of Import URL for VM templates\n2023102 - [e2e][automation] Cloudinit disk of VM from custom template\n2023216 - ACL for a deleted egressfirewall still present on node join switch\n2023228 - Remove Tech preview badge on Trigger components 1.6 OSP on OCP 4.9\n2023238 - [sig-devex][Feature:ImageEcosystem][python][Slow] hot deploy for openshift python image Django example should work with hot deploy\n2023342 - SCC admission should take ephemeralContainers into account\n2023356 - Devfiles can\u0027t be loaded in Safari on macOS (403 - Forbidden)\n2023434 - Update Azure Machine Spec API to accept Marketplace Images\n2023500 - Latency experienced while waiting for volumes to attach to node\n2023522 - can\u0027t remove package from index: database is locked\n2023560 - \"Network Attachment Definitions\" has no project field on the top in the list view\n2023592 - [e2e][automation] add mac spoof check for nad\n2023604 - ACL violation when deleting a provisioning-configuration resource\n2023607 - console returns blank page when normal user without any projects visit Installed Operators page\n2023638 - Downgrade support level for extended control plane integration to Dev Preview\n2023657 - inconsistent behaviours of adding ssh key on rhel node between 4.9 and 4.10\n2023675 - Changing CNV Namespace\n2023779 - Fix Patch 104847 in 4.9\n2023781 - initial hardware devices is not loading in wizard\n2023832 - CCO updates lastTransitionTime for non-Status changes\n2023839 - Bump recommended FCOS to 34.20211031.3.0\n2023865 - Console css overrides prevent dynamic plug-in PatternFly tables from displaying correctly\n2023950 - make test-e2e-operator on kubernetes-nmstate results in failure to pull image from \"registry:5000\" repository\n2023985 - [4.10] OVN idle service cannot be accessed after upgrade from 4.8\n2024055 - External DNS added extra prefix for the TXT record\n2024108 - Occasionally node remains in SchedulingDisabled state even after update has been completed sucessfully\n2024190 - e2e-metal UPI is permafailing with inability to find rhcos.json\n2024199 - 400 Bad Request error for some queries for the non admin user\n2024220 - Cluster monitoring checkbox flickers when installing Operator in all-namespace mode\n2024262 - Sample catalog is not displayed when one API call to the backend fails\n2024309 - cluster-etcd-operator: defrag controller needs to provide proper observability\n2024316 - modal about support displays wrong annotation\n2024328 - [oVirt / RHV] PV disks are lost when machine deleted while node is disconnected\n2024399 - Extra space is in the translated text of \"Add/Remove alternate service\" on Create Route page\n2024448 - When ssh_authorized_keys is empty in form view it should not appear in yaml view\n2024493 - Observe \u003e Alerting \u003e Alerting rules page throws error trying to destructure undefined\n2024515 - test-blocker: Ceph-storage-plugin tests failing\n2024535 - hotplug disk missing OwnerReference\n2024537 - WINDOWS_IMAGE_LINK does not refer to windows cloud image\n2024547 - Detail page is breaking for namespace store , backing store and bucket class. \n2024551 - KMS resources not getting created for IBM FlashSystem storage\n2024586 - Special Resource Operator(SRO) - Empty image in BuildConfig when using RT kernel\n2024613 - pod-identity-webhook starts without tls\n2024617 - vSphere CSI tests constantly failing with Rollout of the monitoring stack failed and is degraded\n2024665 - Bindable services are not shown on topology\n2024731 - linuxptp container: unnecessary checking of interfaces\n2024750 - i18n some remaining OLM items\n2024804 - gcp-pd-csi-driver does not use trusted-ca-bundle when cluster proxy configured\n2024826 - [RHOS/IPI] Masters are not joining a clusters when installing on OpenStack\n2024841 - test Keycloak with latest tag\n2024859 - Not able to deploy an existing image from private image registry using developer console\n2024880 - Egress IP breaks when network policies are applied\n2024900 - Operator upgrade kube-apiserver\n2024932 - console throws \"Unauthorized\" error after logging out\n2024933 - openshift-sync plugin does not sync existing secrets/configMaps on start up\n2025093 - Installer does not honour diskformat specified in storage policy and defaults to zeroedthick\n2025230 - ClusterAutoscalerUnschedulablePods should not be a warning\n2025266 - CreateResource route has exact prop which need to be removed\n2025301 - [e2e][automation] VM actions availability in different VM states\n2025304 - overwrite storage section of the DV spec instead of the pvc section\n2025431 - [RFE]Provide specific windows source link\n2025458 - [IPI-AWS] cluster-baremetal-operator pod in a crashloop state after patching from 4.7.21 to 4.7.36\n2025464 - [aws] openshift-install gather bootstrap collects logs for bootstrap and only one master node\n2025467 - [OVN-K][ETP=local] Host to service backed by ovn pods doesn\u0027t work for ExternalTrafficPolicy=local\n2025481 - Update VM Snapshots UI\n2025488 - [DOCS] Update the doc for nmstate operator installation\n2025592 - ODC 4.9 supports invalid devfiles only\n2025765 - It should not try to load from storageProfile after unchecking\"Apply optimized StorageProfile settings\"\n2025767 - VMs orphaned during machineset scaleup\n2025770 - [e2e] non-priv seems looking for v2v-vmware configMap in ns \"kubevirt-hyperconverged\" while using customize wizard\n2025788 - [IPI on azure]Pre-check on IPI Azure, should check VM Size\u2019s vCPUsAvailable instead of vCPUs for the sku. \n2025821 - Make \"Network Attachment Definitions\" available to regular user\n2025823 - The console nav bar ignores plugin separator in existing sections\n2025830 - CentOS capitalizaion is wrong\n2025837 - Warn users that the RHEL URL expire\n2025884 - External CCM deploys openstack-cloud-controller-manager from quay.io/openshift/origin-*\n2025903 - [UI] RoleBindings tab doesn\u0027t show correct rolebindings\n2026104 - [sig-imageregistry][Feature:ImageAppend] Image append should create images by appending them [Skipped:Disconnected] [Suite:openshift/conformance/parallel]\n2026178 - OpenShift Alerting Rules Style-Guide Compliance\n2026209 - Updation of task is getting failed (tekton hub integration)\n2026223 - Internal error occurred: failed calling webhook \"ptpconfigvalidationwebhook.openshift.io\"\n2026321 - [UPI on Azure] Shall we remove allowedValue about VMSize in ARM templates\n2026343 - [upgrade from 4.5 to 4.6] .status.connectionState.address of catsrc community-operators is not correct\n2026352 - Kube-Scheduler revision-pruner fail during install of new cluster\n2026374 - aws-pod-identity-webhook go.mod version out of sync with build environment\n2026383 - Error when rendering custom Grafana dashboard through ConfigMap\n2026387 - node tuning operator metrics endpoint serving old certificates after certificate rotation\n2026396 - Cachito Issues: sriov-network-operator Image build failure\n2026488 - openshift-controller-manager - delete event is repeating pathologically\n2026489 - ThanosRuleRuleEvaluationLatencyHigh alerts when a big quantity of alerts defined. \n2026560 - Cluster-version operator does not remove unrecognized volume mounts\n2026699 - fixed a bug with missing metadata\n2026813 - add Mellanox CX-6 Lx DeviceID 101f NIC support in SR-IOV Operator\n2026898 - Description/details are missing for Local Storage Operator\n2027132 - Use the specific icon for Fedora and CentOS template\n2027238 - \"Node Exporter / USE Method / Cluster\" CPU utilization graph shows incorrect legend\n2027272 - KubeMemoryOvercommit alert should be human readable\n2027281 - [Azure] External-DNS cannot find the private DNS zone in the resource group\n2027288 - Devfile samples can\u0027t be loaded after fixing it on Safari (redirect caching issue)\n2027299 - The status of checkbox component is not revealed correctly in code\n2027311 - K8s watch hooks do not work when fetching core resources\n2027342 - Alert ClusterVersionOperatorDown is firing on OpenShift Container Platform after ca certificate rotation\n2027363 - The azure-file-csi-driver and azure-file-csi-driver-operator don\u0027t use the downstream images\n2027387 - [IBMCLOUD] Terraform ibmcloud-provider buffers entirely the qcow2 image causing spikes of 5GB of RAM during installation\n2027498 - [IBMCloud] SG Name character length limitation\n2027501 - [4.10] Bootimage bump tracker\n2027524 - Delete Application doesn\u0027t delete Channels or Brokers\n2027563 - e2e/add-flow-ci.feature fix accessibility violations\n2027585 - CVO crashes when changing spec.upstream to a cincinnati graph which includes invalid conditional edges\n2027629 - Gather ValidatingWebhookConfiguration and MutatingWebhookConfiguration resource definitions\n2027685 - openshift-cluster-csi-drivers pods crashing on PSI\n2027745 - default samplesRegistry prevents the creation of imagestreams when registrySources.allowedRegistries is enforced\n2027824 - ovnkube-master CrashLoopBackoff: panic: Expected slice or struct but got string\n2027917 - No settings in hostfirmwaresettings and schema objects for masters\n2027927 - sandbox creation fails due to obsolete option in /etc/containers/storage.conf\n2027982 - nncp stucked at ConfigurationProgressing\n2028019 - Max pending serving CSRs allowed in cluster machine approver is not right for UPI clusters\n2028024 - After deleting a SpecialResource, the node is still tagged although the driver is removed\n2028030 - Panic detected in cluster-image-registry-operator pod\n2028042 - Desktop viewer for Windows VM shows \"no Service for the RDP (Remote Desktop Protocol) can be found\"\n2028054 - Cloud controller manager operator can\u0027t get leader lease when upgrading from 4.8 up to 4.9\n2028106 - [RFE] Use dynamic plugin actions for kubevirt plugin\n2028141 - Console tests doesn\u0027t pass on Node.js 15 and 16\n2028160 - Remove i18nKey in network-policy-peer-selectors.tsx\n2028162 - Add Sprint 210 translations\n2028170 - Remove leading and trailing whitespace\n2028174 - Add Sprint 210 part 2 translations\n2028187 - Console build doesn\u0027t pass on Node.js 16 because node-sass doesn\u0027t support it\n2028217 - Cluster-version operator does not default Deployment replicas to one\n2028240 - Multiple CatalogSources causing higher CPU use than necessary\n2028268 - Password parameters are listed in FirmwareSchema in spite that cannot and shouldn\u0027t be set in HostFirmwareSettings\n2028325 - disableDrain should be set automatically on SNO\n2028484 - AWS EBS CSI driver\u0027s livenessprobe does not respect operator\u0027s loglevel\n2028531 - Missing netFilter to the list of parameters when platform is OpenStack\n2028610 - Installer doesn\u0027t retry on GCP rate limiting\n2028685 - LSO repeatedly reports errors while diskmaker-discovery pod is starting\n2028695 - destroy cluster does not prune bootstrap instance profile\n2028731 - The containerruntimeconfig controller has wrong assumption regarding the number of containerruntimeconfigs\n2028802 - CRI-O panic due to invalid memory address or nil pointer dereference\n2028816 - VLAN IDs not released on failures\n2028881 - Override not working for the PerformanceProfile template\n2028885 - Console should show an error context if it logs an error object\n2028949 - Masthead dropdown item hover text color is incorrect\n2028963 - Whereabouts should reconcile stranded IP addresses\n2029034 - enabling ExternalCloudProvider leads to inoperative cluster\n2029178 - Create VM with wizard - page is not displayed\n2029181 - Missing CR from PGT\n2029273 - wizard is not able to use if project field is \"All Projects\"\n2029369 - Cypress tests github rate limit errors\n2029371 - patch pipeline--worker nodes unexpectedly reboot during scale out\n2029394 - missing empty text for hardware devices at wizard review\n2029414 - Alibaba Disk snapshots with XFS filesystem cannot be used\n2029416 - Alibaba Disk CSI driver does not use credentials provided by CCO / ccoctl\n2029521 - EFS CSI driver cannot delete volumes under load\n2029570 - Azure Stack Hub: CSI Driver does not use user-ca-bundle\n2029579 - Clicking on an Application which has a Helm Release in it causes an error\n2029644 - New resource FirmwareSchema - reset_required exists for Dell machines and doesn\u0027t for HPE\n2029645 - Sync upstream 1.15.0 downstream\n2029671 - VM action \"pause\" and \"clone\" should be disabled while VM disk is still being importing\n2029742 - [ovn] Stale lr-policy-list and snat rules left for egressip\n2029750 - cvo keep restart due to it fail to get feature gate value during the initial start stage\n2029785 - CVO panic when an edge is included in both edges and conditionaledges\n2029843 - Downstream ztp-site-generate-rhel8 4.10 container image missing content(/home/ztp)\n2030003 - HFS CRD: Attempt to set Integer parameter to not-numeric string value - no error\n2030029 - [4.10][goroutine]Namespace stuck terminating: Failed to delete all resource types, 1 remaining: unexpected items still remain in namespace\n2030228 - Fix StorageSpec resources field to use correct API\n2030229 - Mirroring status card reflect wrong data\n2030240 - Hide overview page for non-privileged user\n2030305 - Export App job do not completes\n2030347 - kube-state-metrics exposes metrics about resource annotations\n2030364 - Shared resource CSI driver monitoring is not setup correctly\n2030488 - Numerous Azure CI jobs are Failing with Partially Rendered machinesets\n2030534 - Node selector/tolerations rules are evaluated too early\n2030539 - Prometheus is not highly available\n2030556 - Don\u0027t display Description or Message fields for alerting rules if those annotations are missing\n2030568 - Operator installation fails to parse operatorframework.io/initialization-resource annotation\n2030574 - console service uses older \"service.alpha.openshift.io\" for the service serving certificates. \n2030677 - BOND CNI: There is no option to configure MTU on a Bond interface\n2030692 - NPE in PipelineJobListener.upsertWorkflowJob\n2030801 - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache\n2030806 - CVE-2021-44717 golang: syscall: don\u0027t close fd 0 on ForkExec error\n2030847 - PerformanceProfile API version should be v2\n2030961 - Customizing the OAuth server URL does not apply to upgraded cluster\n2031006 - Application name input field is not autofocused when user selects \"Create application\"\n2031012 - Services of type loadbalancer do not work if the traffic reaches the node from an interface different from br-ex\n2031040 - Error screen when open topology sidebar for a Serverless / knative service which couldn\u0027t be started\n2031049 - [vsphere upi] pod machine-config-operator cannot be started due to panic issue\n2031057 - Topology sidebar for Knative services shows a small pod ring with \"0 undefined\" as tooltip\n2031060 - Failing CSR Unit test due to expired test certificate\n2031085 - ovs-vswitchd running more threads than expected\n2031141 - Some pods not able to reach k8s api svc IP 198.223.0.1\n2031228 - CVE-2021-43813 grafana: directory traversal vulnerability\n2031502 - [RFE] New common templates crash the ui\n2031685 - Duplicated forward upstreams should be removed from the dns operator\n2031699 - The displayed ipv6 address of a dns upstream should be case sensitive\n2031797 - [RFE] Order and text of Boot source type input are wrong\n2031826 - CI tests needed to confirm driver-toolkit image contents\n2031831 - OCP Console - Global CSS overrides affecting dynamic plugins\n2031839 - Starting from Go 1.17 invalid certificates will render a cluster dysfunctional\n2031858 - GCP beta-level Role (was: CCO occasionally down, reporting networksecurity.googleapis.com API as disabled)\n2031875 - [RFE]: Provide online documentation for the SRO CRD (via oc explain)\n2031926 - [ipv6dualstack] After SVC conversion from single stack only to RequireDualStack, cannot curl NodePort from the node itself\n2032006 - openshift-gitops-application-controller-0 failed to schedule with sufficient node allocatable resource\n2032111 - arm64 cluster, create project and deploy the example deployment, pod is CrashLoopBackOff due to the image is built on linux+amd64\n2032141 - open the alertrule link in new tab, got empty page\n2032179 - [PROXY] external dns pod cannot reach to cloud API in the cluster behind a proxy\n2032296 - Cannot create machine with ephemeral disk on Azure\n2032407 - UI will show the default openshift template wizard for HANA template\n2032415 - Templates page - remove \"support level\" badge and add \"support level\" column which should not be hard coded\n2032421 - [RFE] UI integration with automatic updated images\n2032516 - Not able to import git repo with .devfile.yaml\n2032521 - openshift-installer intermittent failure on AWS with \"Error: Provider produced inconsistent result after apply\" when creating the aws_vpc_dhcp_options_association resource\n2032547 - hardware devices table have filter when table is empty\n2032565 - Deploying compressed files with a MachineConfig resource degrades the MachineConfigPool\n2032566 - Cluster-ingress-router does not support Azure Stack\n2032573 - Adopting enforces deploy_kernel/ramdisk which does not work with deploy_iso\n2032589 - DeploymentConfigs ignore resolve-names annotation\n2032732 - Fix styling conflicts due to recent console-wide CSS changes\n2032831 - Knative Services and Revisions are not shown when Service has no ownerReference\n2032851 - Networking is \"not available\" in Virtualization Overview\n2032926 - Machine API components should use K8s 1.23 dependencies\n2032994 - AddressPool IP is not allocated to service external IP wtih aggregationLength 24\n2032998 - Can not achieve 250 pods/node with OVNKubernetes in a multiple worker node cluster\n2033013 - Project dropdown in user preferences page is broken\n2033044 - Unable to change import strategy if devfile is invalid\n2033098 - Conjunction in ProgressiveListFooter.tsx is not translatable\n2033111 - IBM VPC operator library bump removed global CLI args\n2033138 - \"No model registered for Templates\" shows on customize wizard\n2033215 - Flaky CI: crud/other-routes.spec.ts fails sometimes with an cypress ace/a11y AssertionError: 1 accessibility violation was detected\n2033239 - [IPI on Alibabacloud] \u0027openshift-install\u0027 gets the wrong region (\u2018cn-hangzhou\u2019) selected\n2033257 - unable to use configmap for helm charts\n2033271 - [IPI on Alibabacloud] destroying cluster succeeded, but the resource group deletion wasn\u2019t triggered\n2033290 - Product builds for console are failing\n2033382 - MAPO is missing machine annotations\n2033391 - csi-driver-shared-resource-operator sets unused CVO-manifest annotations\n2033403 - Devfile catalog does not show provider information\n2033404 - Cloud event schema is missing source type and resource field is using wrong value\n2033407 - Secure route data is not pre-filled in edit flow form\n2033422 - CNO not allowing LGW conversion from SGW in runtime\n2033434 - Offer darwin/arm64 oc in clidownloads\n2033489 - CCM operator failing on baremetal platform\n2033518 - [aws-efs-csi-driver]Should not accept invalid FSType in sc for AWS EFS driver\n2033524 - [IPI on Alibabacloud] interactive installer cannot list existing base domains\n2033536 - [IPI on Alibabacloud] bootstrap complains invalid value for alibabaCloud.resourceGroupID when updating \"cluster-infrastructure-02-config.yml\" status, which leads to bootstrap failed and all master nodes NotReady\n2033538 - Gather Cost Management Metrics Custom Resource\n2033579 - SRO cannot update the special-resource-lifecycle ConfigMap if the data field is undefined\n2033587 - Flaky CI test project-dashboard.scenario.ts: Resource Quotas Card was not found on project detail page\n2033634 - list-style-type: disc is applied to the modal dropdowns\n2033720 - Update samples in 4.10\n2033728 - Bump OVS to 2.16.0-33\n2033729 - remove runtime request timeout restriction for azure\n2033745 - Cluster-version operator makes upstream update service / Cincinnati requests more frequently than intended\n2033749 - Azure Stack Terraform fails without Local Provider\n2033750 - Local volume should pull multi-arch image for kube-rbac-proxy\n2033751 - Bump kubernetes to 1.23\n2033752 - make verify fails due to missing yaml-patch\n2033784 - set kube-apiserver degraded=true if webhook matches a virtual resource\n2034004 - [e2e][automation] add tests for VM snapshot improvements\n2034068 - [e2e][automation] Enhance tests for 4.10 downstream\n2034087 - [OVN] EgressIP was assigned to the node which is not egress node anymore\n2034097 - [OVN] After edit EgressIP object, the status is not correct\n2034102 - [OVN] Recreate the deleted EgressIP object got InvalidEgressIP warning\n2034129 - blank page returned when clicking \u0027Get started\u0027 button\n2034144 - [OVN AWS] ovn-kube egress IP monitoring cannot detect the failure on ovn-k8s-mp0\n2034153 - CNO does not verify MTU migration for OpenShiftSDN\n2034155 - [OVN-K] [Multiple External Gateways] Per pod SNAT is disabled\n2034170 - Use function.knative.dev for Knative Functions related labels\n2034190 - unable to add new VirtIO disks to VMs\n2034192 - Prometheus fails to insert reporting metrics when the sample limit is met\n2034243 - regular user cant load template list\n2034245 - installing a cluster on aws, gcp always fails with \"Error: Incompatible provider version\"\n2034248 - GPU/Host device modal is too small\n2034257 - regular user `Create VM` missing permissions alert\n2034285 - [sig-api-machinery] API data in etcd should be stored at the correct location and version for all resources [Serial] [Suite:openshift/conformance/serial]\n2034287 - do not block upgrades if we can\u0027t create storageclass in 4.10 in vsphere\n2034300 - Du validator policy is NonCompliant after DU configuration completed\n2034319 - Negation constraint is not validating packages\n2034322 - CNO doesn\u0027t pick up settings required when ExternalControlPlane topology\n2034350 - The CNO should implement the Whereabouts IP reconciliation cron job\n2034362 - update description of disk interface\n2034398 - The Whereabouts IPPools CRD should include the podref field\n2034409 - Default CatalogSources should be pointing to 4.10 index images\n2034410 - Metallb BGP, BFD: prometheus is not scraping the frr metrics\n2034413 - cloud-network-config-controller fails to init with secret \"cloud-credentials\" not found in manual credential mode\n2034460 - Summary: cloud-network-config-controller does not account for different environment\n2034474 - Template\u0027s boot source is \"Unknown source\" before and after set enableCommonBootImageImport to true\n2034477 - [OVN] Multiple EgressIP objects configured, EgressIPs weren\u0027t working properly\n2034493 - Change cluster version operator log level\n2034513 - [OVN] After update one EgressIP in EgressIP object, one internal IP lost from lr-policy-list\n2034527 - IPI deployment fails \u0027timeout reached while inspecting the node\u0027 when provisioning network ipv6\n2034528 - [IBM VPC] volumeBindingMode should be WaitForFirstConsumer\n2034534 - Update ose-machine-api-provider-openstack images to be consistent with ART\n2034537 - Update team\n2034559 - KubeAPIErrorBudgetBurn firing outside recommended latency thresholds\n2034563 - [Azure] create machine with wrong ephemeralStorageLocation value success\n2034577 - Current OVN gateway mode should be reflected on node annotation as well\n2034621 - context menu not popping up for application group\n2034622 - Allow volume expansion by default in vsphere CSI storageclass 4.10\n2034624 - Warn about unsupported CSI driver in vsphere operator\n2034647 - missing volumes list in snapshot modal\n2034648 - Rebase openshift-controller-manager to 1.23\n2034650 - Rebase openshift/builder to 1.23\n2034705 - vSphere: storage e2e tests logging configuration data\n2034743 - EgressIP: assigning the same egress IP to a second EgressIP object after a ovnkube-master restart does not fail. \n2034766 - Special Resource Operator(SRO) - no cert-manager pod created in dual stack environment\n2034785 - ptpconfig with summary_interval cannot be applied\n2034823 - RHEL9 should be starred in template list\n2034838 - An external router can inject routes if no service is added\n2034839 - Jenkins sync plugin does not synchronize ConfigMap having label role=jenkins-agent\n2034879 - Lifecycle hook\u0027s name and owner shouldn\u0027t be allowed to be empty\n2034881 - Cloud providers components should use K8s 1.23 dependencies\n2034884 - ART cannot build the image because it tries to download controller-gen\n2034889 - `oc adm prune deployments` does not work\n2034898 - Regression in recently added Events feature\n2034957 - update openshift-apiserver to kube 1.23.1\n2035015 - ClusterLogForwarding CR remains stuck remediating forever\n2035093 - openshift-cloud-network-config-controller never runs on Hypershift cluster\n2035141 - [RFE] Show GPU/Host devices in template\u0027s details tab\n2035146 - \"kubevirt-plugin~PVC cannot be empty\" shows on add-disk modal while adding existing PVC\n2035167 - [cloud-network-config-controller] unable to deleted cloudprivateipconfig when deleting\n2035199 - IPv6 support in mtu-migration-dispatcher.yaml\n2035239 - e2e-metal-ipi-virtualmedia tests are permanently failing\n2035250 - Peering with ebgp peer over multi-hops doesn\u0027t work\n2035264 - [RFE] Provide a proper message for nonpriv user who not able to add PCI devices\n2035315 - invalid test cases for AWS passthrough mode\n2035318 - Upgrade management workflow needs to allow custom upgrade graph path for disconnected env\n2035321 - Add Sprint 211 translations\n2035326 - [ExternalCloudProvider] installation with additional network on workers fails\n2035328 - Ccoctl does not ignore credentials request manifest marked for deletion\n2035333 - Kuryr orphans ports on 504 errors from Neutron\n2035348 - Fix two grammar issues in kubevirt-plugin.json strings\n2035393 - oc set data --dry-run=server makes persistent changes to configmaps and secrets\n2035409 - OLM E2E test depends on operator package that\u0027s no longer published\n2035439 - SDN Automatic assignment EgressIP on GCP returned node IP adress not egressIP address\n2035453 - [IPI on Alibabacloud] 2 worker machines stuck in Failed phase due to connection to \u0027ecs-cn-hangzhou.aliyuncs.com\u0027 timeout, although the specified region is \u0027us-east-1\u0027\n2035454 - [IPI on Alibabacloud] the OSS bucket created during installation for image registry is not deleted after destroying the cluster\n2035467 - UI: Queried metrics can\u0027t be ordered on Oberve-\u003eMetrics page\n2035494 - [SDN Migration]ovnkube-node pods CrashLoopBackOff after sdn migrated to ovn for RHEL workers\n2035515 - [IBMCLOUD] allowVolumeExpansion should be true in storage class\n2035602 - [e2e][automation] add tests for Virtualization Overview page cards\n2035703 - Roles -\u003e RoleBindings tab doesn\u0027t show RoleBindings correctly\n2035704 - RoleBindings list page filter doesn\u0027t apply\n2035705 - Azure \u0027Destroy cluster\u0027 get stuck when the cluster resource group is already not existing. \n2035757 - [IPI on Alibabacloud] one master node turned NotReady which leads to installation failed\n2035772 - AccessMode and VolumeMode is not reserved for customize wizard\n2035847 - Two dashes in the Cronjob / Job pod name\n2035859 - the output of opm render doesn\u0027t contain olm.constraint which is defined in dependencies.yaml\n2035882 - [BIOS setting values] Create events for all invalid settings in spec\n2035903 - One redundant capi-operator credential requests in \u201coc adm extract --credentials-requests\u201d\n2035910 - [UI] Manual approval options are missing after ODF 4.10 installation starts when Manual Update approval is chosen\n2035927 - Cannot enable HighNodeUtilization scheduler profile\n2035933 - volume mode and access mode are empty in customize wizard review tab\n2035969 - \"ip a \" shows \"Error: Peer netns reference is invalid\" after create test pods\n2035986 - Some pods under kube-scheduler/kube-controller-manager are using the deprecated annotation\n2036006 - [BIOS setting values] Attempt to set Integer parameter results in preparation error\n2036029 - New added cloud-network-config operator doesn\u2019t supported aws sts format credential\n2036096 - [azure-file-csi-driver] there are no e2e tests for NFS backend\n2036113 - cluster scaling new nodes ovs-configuration fails on all new nodes\n2036567 - [csi-driver-nfs] Upstream merge: Bump k8s libraries to 1.23\n2036569 - [cloud-provider-openstack] Upstream merge: Bump k8s libraries to 1.23\n2036577 - OCP 4.10 nightly builds from 4.10.0-0.nightly-s390x-2021-12-18-034912 to 4.10.0-0.nightly-s390x-2022-01-11-233015 fail to upgrade from OCP 4.9.11 and 4.9.12 for network type OVNKubernetes for zVM hypervisor environments\n2036622 - sdn-controller crashes when restarted while a previous egress IP assignment exists\n2036717 - Valid AlertmanagerConfig custom resource with valid a mute time interval definition is rejected\n2036826 - `oc adm prune deployments` can prune the RC/RS\n2036827 - The ccoctl still accepts CredentialsRequests without ServiceAccounts on GCP platform\n2036861 - kube-apiserver is degraded while enable multitenant\n2036937 - Command line tools page shows wrong download ODO link\n2036940 - oc registry login fails if the file is empty or stdout\n2036951 - [cluster-csi-snapshot-controller-operator] proxy settings is being injected in container\n2036989 - Route URL copy to clipboard button wraps to a separate line by itself\n2036990 - ZTP \"DU Done inform policy\" never becomes compliant on multi-node clusters\n2036993 - Machine API components should use Go lang version 1.17\n2037036 - The tuned profile goes into degraded status and ksm.service is displayed in the log. \n2037061 - aws and gcp CredentialsRequest manifests missing ServiceAccountNames list for cluster-api\n2037073 - Alertmanager container fails to start because of startup probe never being successful\n2037075 - Builds do not support CSI volumes\n2037167 - Some log level in ibm-vpc-block-csi-controller are hard code\n2037168 - IBM-specific Deployment manifest for package-server-manager should be excluded on non-IBM cluster-profiles\n2037182 - PingSource badge color is not matched with knativeEventing color\n2037203 - \"Running VMs\" card is too small in Virtualization Overview\n2037209 - [IPI on Alibabacloud] worker nodes are put in the default resource group unexpectedly\n2037237 - Add \"This is a CD-ROM boot source\" to customize wizard\n2037241 - default TTL for noobaa cache buckets should be 0\n2037246 - Cannot customize auto-update boot source\n2037276 - [IBMCLOUD] vpc-node-label-updater may fail to label nodes appropriately\n2037288 - Remove stale image reference\n2037331 - Ensure the ccoctl behaviors are similar between aws and gcp on the existing resources\n2037483 - Rbacs for Pods within the CBO should be more restrictive\n2037484 - Bump dependencies to k8s 1.23\n2037554 - Mismatched wave number error message should include the wave numbers that are in conflict\n2037622 - [4.10-Alibaba CSI driver][Restore size for volumesnapshot/volumesnapshotcontent is showing as 0 in Snapshot feature for Alibaba platform]\n2037635 - impossible to configure custom certs for default console route in ingress config\n2037637 - configure custom certificate for default console route doesn\u0027t take effect for OCP \u003e= 4.8\n2037638 - Builds do not support CSI volumes as volume sources\n2037664 - text formatting issue in Installed Operators list table\n2037680 - [IPI on Alibabacloud] sometimes operator \u0027cloud-controller-manager\u0027 tells empty VERSION, due to conflicts on listening tcp :8080\n2037689 - [IPI on Alibabacloud] sometimes operator \u0027cloud-controller-manager\u0027 tells empty VERSION, due to conflicts on listening tcp :8080\n2037801 - Serverless installation is failing on CI jobs for e2e tests\n2037813 - Metal Day 1 Networking - networkConfig Field Only Accepts String Format\n2037856 - use lease for leader election\n2037891 - 403 Forbidden error shows for all the graphs in each grafana dashboard after upgrade from 4.9 to 4.10\n2037903 - Alibaba Cloud: delete-ram-user requires the credentials-requests\n2037904 - upgrade operator deployment failed due to memory limit too low for manager container\n2038021 - [4.10-Alibaba CSI driver][Default volumesnapshot class is not added/present after successful cluster installation]\n2038034 - non-privileged user cannot see auto-update boot source\n2038053 - Bump dependencies to k8s 1.23\n2038088 - Remove ipa-downloader references\n2038160 - The `default` project missed the annotation : openshift.io/node-selector: \"\"\n2038166 - Starting from Go 1.17 invalid certificates will render a cluster non-functional\n2038196 - must-gather is missing collecting some metal3 resources\n2038240 - Error when configuring a file using permissions bigger than decimal 511 (octal 0777)\n2038253 - Validator Policies are long lived\n2038272 - Failures to build a PreprovisioningImage are not reported\n2038384 - Azure Default Instance Types are Incorrect\n2038389 - Failing test: [sig-arch] events should not repeat pathologically\n2038412 - Import page calls the git file list unnecessarily twice from GitHub/GitLab/Bitbucket\n2038465 - Upgrade chromedriver to 90.x to support Mac M1 chips\n2038481 - kube-controller-manager-guard and openshift-kube-scheduler-guard pods being deleted and restarted on a cordoned node when drained\n2038596 - Auto egressIP for OVN cluster on GCP: After egressIP object is deleted, egressIP still takes effect\n2038663 - update kubevirt-plugin OWNERS\n2038691 - [AUTH-8] Panic on user login when the user belongs to a group in the IdP side and the group already exists via \"oc adm groups new\"\n2038705 - Update ptp reviewers\n2038761 - Open Observe-\u003eTargets page, wait for a while, page become blank\n2038768 - All the filters on the Observe-\u003eTargets page can\u0027t work\n2038772 - Some monitors failed to display on Observe-\u003eTargets page\n2038793 - [SDN EgressIP] After reboot egress node, the egressip was lost from egress node\n2038827 - should add user containers in /etc/subuid and /etc/subgid to support run pods in user namespaces\n2038832 - New templates for centos stream8 are missing registry suggestions in create vm wizard\n2038840 - [SDN EgressIP]cloud-network-config-controller pod was CrashLoopBackOff after some operation\n2038864 - E2E tests fail because multi-hop-net was not created\n2038879 - All Builds are getting listed in DeploymentConfig under workloads on OpenShift Console\n2038934 - CSI driver operators should use the trusted CA bundle when cluster proxy is configured\n2038968 - Move feature gates from a carry patch to openshift/api\n2039056 - Layout issue with breadcrumbs on API explorer page\n2039057 - Kind column is not wide enough in API explorer page\n2039064 - Bulk Import e2e test flaking at a high rate\n2039065 - Diagnose and fix Bulk Import e2e test that was previously disabled\n2039085 - Cloud credential operator configuration failing to apply in hypershift/ROKS clusters\n2039099 - [OVN EgressIP GCP] After reboot egress node, egressip that was previously assigned got lost\n2039109 - [FJ OCP4.10 Bug]: startironic.sh failed to pull the image of image-customization container when behind a proxy\n2039119 - CVO hotloops on Service openshift-monitoring/cluster-monitoring-operator\n2039170 - [upgrade]Error shown on registry operator \"missing the cloud-provider-config configmap\" after upgrade\n2039227 - Improve image customization server parameter passing during installation\n2039241 - Improve image customization server parameter passing during installation\n2039244 - Helm Release revision history page crashes the UI\n2039294 - SDN controller metrics cannot be consumed correctly by prometheus\n2039311 - oc Does Not Describe Build CSI Volumes\n2039315 - Helm release list page should only fetch secrets for deployed charts\n2039321 - SDN controller metrics are not being consumed by prometheus\n2039330 - Create NMState button doesn\u0027t work in OperatorHub web console\n2039339 - cluster-ingress-operator should report Unupgradeable if user has modified the aws resources annotations\n2039345 - CNO does not verify the minimum MTU value for IPv6/dual-stack clusters. \n2039359 - `oc adm prune deployments` can\u0027t prune the RS where the associated Deployment no longer exists\n2039382 - gather_metallb_logs does not have execution permission\n2039406 - logout from rest session after vsphere operator sync is finished\n2039408 - Add GCP region northamerica-northeast2 to allowed regions\n2039414 - Cannot see the weights increased for NodeAffinity, InterPodAffinity, TaintandToleration\n2039425 - No need to set KlusterletAddonConfig CR applicationManager-\u003eenabled: true in RAN ztp deployment\n2039491 - oc - git:// protocol used in unit tests\n2039516 - Bump OVN to ovn21.12-21.12.0-25\n2039529 - Project Dashboard Resource Quotas Card empty state test flaking at a high rate\n2039534 - Diagnose and fix Project Dashboard Resource Quotas Card test that was previously disabled\n2039541 - Resolv-prepender script duplicating entries\n2039586 - [e2e] update centos8 to centos stream8\n2039618 - VM created from SAP HANA template leads to 404 page if leave one network parameter empty\n2039619 - [AWS] In tree provisioner storageclass aws disk type should contain \u0027gp3\u0027 and csi provisioner storageclass default aws disk type should be \u0027gp3\u0027\n2039670 - Create PDBs for control plane components\n2039678 - Page goes blank when create image pull secret\n2039689 - [IPI on Alibabacloud] Pay-by-specification NAT is no longer supported\n2039743 - React missing key warning when open operator hub detail page (and maybe others as well)\n2039756 - React missing key warning when open KnativeServing details\n2039770 - Observe dashboard doesn\u0027t react on time-range changes after browser reload when perspective is changed in another tab\n2039776 - Observe dashboard shows nothing if the URL links to an non existing dashboard\n2039781 - [GSS] OBC is not visible by admin of a Project on Console\n2039798 - Contextual binding with Operator backed service creates visual connector instead of Service binding connector\n2039868 - Insights Advisor widget is not in the disabled state when the Insights Operator is disabled\n2039880 - Log level too low for control plane metrics\n2039919 - Add E2E test for router compression feature\n2039981 - ZTP for standard clusters installs stalld on master nodes\n2040132 - Flag --port has been deprecated, This flag has no effect now and will be removed in v1.24. You can use --secure-port instead\n2040136 - external-dns-operator pod keeps restarting and reports error: timed out waiting for cache to be synced\n2040143 - [IPI on Alibabacloud] suggest to remove region \"cn-nanjing\" or provide better error message\n2040150 - Update ConfigMap keys for IBM HPCS\n2040160 - [IPI on Alibabacloud] installation fails when region does not support pay-by-bandwidth\n2040285 - Bump build-machinery-go for console-operator to pickup change in yaml-patch repository\n2040357 - bump OVN to ovn-2021-21.12.0-11.el8fdp\n2040376 - \"unknown instance type\" error for supported m6i.xlarge instance\n2040394 - Controller: enqueue the failed configmap till services update\n2040467 - Cannot build ztp-site-generator container image\n2040504 - Change AWS EBS GP3 IOPS in MachineSet doesn\u0027t take affect in OpenShift 4\n2040521 - RouterCertsDegraded certificate could not validate route hostname v4-0-config-system-custom-router-certs.apps\n2040535 - Auto-update boot source is not available in customize wizard\n2040540 - ovs hardware offload: ovsargs format error when adding vf netdev name\n2040603 - rhel worker scaleup playbook failed because missing some dependency of podman\n2040616 - rolebindings page doesn\u0027t load for normal users\n2040620 - [MAPO] Error pulling MAPO image on installation\n2040653 - Topology sidebar warns that another component is updated while rendering\n2040655 - User settings update fails when selecting application in topology sidebar\n2040661 - Different react warnings about updating state on unmounted components when leaving topology\n2040670 - Permafailing CI job: periodic-ci-openshift-release-master-nightly-4.10-e2e-gcp-libvirt-cert-rotation\n2040671 - [Feature:IPv6DualStack] most tests are failing in dualstack ipi\n2040694 - Three upstream HTTPClientConfig struct fields missing in the operator\n2040705 - Du policy for standard cluster runs the PTP daemon on masters and workers\n2040710 - cluster-baremetal-operator cannot update BMC subscription CR\n2040741 - Add CI test(s) to ensure that metal3 components are deployed in vSphere, OpenStack and None platforms\n2040782 - Import YAML page blocks input with more then one generateName attribute\n2040783 - The Import from YAML summary page doesn\u0027t show the resource name if created via generateName attribute\n2040791 - Default PGT policies must be \u0027inform\u0027 to integrate with the Lifecycle Operator\n2040793 - Fix snapshot e2e failures\n2040880 - do not block upgrades if we can\u0027t connect to vcenter\n2041087 - MetalLB: MetalLB CR is not upgraded automatically from 4.9 to 4.10\n2041093 - autounattend.xml missing\n2041204 - link to templates in virtualization-cluster-overview inventory card is to all templates\n2041319 - [IPI on Alibabacloud] installation in region \"cn-shanghai\" failed, due to \"Resource alicloud_vswitch CreateVSwitch Failed...InvalidCidrBlock.Overlapped\"\n2041326 - Should bump cluster-kube-descheduler-operator to kubernetes version V1.23\n2041329 - aws and gcp CredentialsRequest manifests missing ServiceAccountNames list for cloud-network-config-controller\n2041361 - [IPI on Alibabacloud] Disable session persistence and removebBandwidth peak of listener\n2041441 - Provision volume with size 3000Gi even if sizeRange: \u0027[10-2000]GiB\u0027 in storageclass on IBM cloud\n2041466 - Kubedescheduler version is missing from the operator logs\n2041475 - React components should have a (mostly) unique name in react dev tools to simplify code analyses\n2041483 - MetallB: quay.io/openshift/origin-kube-rbac-proxy:4.10 deploy Metallb CR is missing (controller and speaker pods)\n2041492 - Spacing between resources in inventory card is too small\n2041509 - GCP Cloud provider components should use K8s 1.23 dependencies\n2041510 - cluster-baremetal-operator doesn\u0027t run baremetal-operator\u0027s subscription webhook\n2041541 - audit: ManagedFields are dropped using API not annotation\n2041546 - ovnkube: set election timer at RAFT cluster creation time\n2041554 - use lease for leader election\n2041581 - KubeDescheduler operator log shows \"Use of insecure cipher detected\"\n2041583 - etcd and api server cpu mask interferes with a guaranteed workload\n2041598 - Including CA bundle in Azure Stack cloud config causes MCO failure\n2041605 - Dynamic Plugins: discrepancy in proxy alias documentation/implementation\n2041620 - bundle CSV alm-examples does not parse\n2041641 - Fix inotify leak and kubelet retaining memory\n2041671 - Delete templates leads to 404 page\n2041694 - [IPI on Alibabacloud] installation fails when region does not support the cloud_essd disk category\n2041734 - ovs hwol: VFs are unbind when switchdev mode is enabled\n2041750 - [IPI on Alibabacloud] trying \"create install-config\" with region \"cn-wulanchabu (China (Ulanqab))\" (or \"ap-southeast-6 (Philippines (Manila))\", \"cn-guangzhou (China (Guangzhou))\") failed due to invalid endpoint\n2041763 - The Observe \u003e Alerting pages no longer have their default sort order applied\n2041830 - CI: ovn-kubernetes-master-e2e-aws-ovn-windows is broken\n2041854 - Communities / Local prefs are applied to all the services regardless of the pool, and only one community is applied\n2041882 - cloud-network-config operator can\u0027t work normal on GCP workload identity cluster\n2041888 - Intermittent incorrect build to run correlation, leading to run status updates applied to wrong build, builds stuck in non-terminal phases\n2041926 - [IPI on Alibabacloud] Installer ignores public zone when it does not exist\n2041971 - [vsphere] Reconciliation of mutating webhooks didn\u0027t happen\n2041989 - CredentialsRequest manifests being installed for ibm-cloud-managed profile\n2041999 - [PROXY] external dns pod cannot recognize custom proxy CA\n2042001 - unexpectedly found multiple load balancers\n2042029 - kubedescheduler fails to install completely\n2042036 - [IBMCLOUD] \"openshift-install explain installconfig.platform.ibmcloud\" contains not yet supported custom vpc parameters\n2042049 - Seeing warning related to unrecognized feature gate in kubescheduler \u0026 KCM logs\n2042059 - update discovery burst to reflect lots of CRDs on openshift clusters\n2042069 - Revert toolbox to rhcos-toolbox\n2042169 - Can not delete egressnetworkpolicy in Foreground propagation\n2042181 - MetalLB: User should not be allowed add same bgp advertisement twice in BGP address pool\n2042265 - [IBM]\"--scale-down-utilization-threshold\" doesn\u0027t work on IBMCloud\n2042274 - Storage API should be used when creating a PVC\n2042315 - Baremetal IPI deployment with IPv6 control plane and disabled provisioning network fails as the nodes do not pass introspection\n2042366 - Lifecycle hooks should be independently managed\n2042370 - [IPI on Alibabacloud] installer panics when the zone does not have an enhanced NAT gateway\n2042382 - [e2e][automation] CI takes more then 2 hours to run\n2042395 - Add prerequisites for active health checks test\n2042438 - Missing rpms in openstack-installer image\n2042466 - Selection does not happen when switching from Topology Graph to List View\n2042493 - No way to verify if IPs with leading zeros are still valid in the apiserver\n2042567 - insufficient info on CodeReady Containers configuration\n2042600 - Alone, the io.kubernetes.cri-o.Devices option poses a security risk\n2042619 - Overview page of the console is broken for hypershift clusters\n2042655 - [IPI on Alibabacloud] cluster becomes unusable if there is only one kube-apiserver pod running\n2042711 - [IBMCloud] Machine Deletion Hook cannot work on IBMCloud\n2042715 - [AliCloud] Machine Deletion Hook cannot work on AliCloud\n2042770 - [IPI on Alibabacloud] with vpcID \u0026 vswitchIDs specified, the installer would still try creating NAT gateway unexpectedly\n2042829 - Topology performance: HPA was fetched for each Deployment (Pod Ring)\n2042851 - Create template from SAP HANA template flow - VM is created instead of a new template\n2042906 - Edit machineset with same machine deletion hook name succeed\n2042960 - azure-file CI fails with \"gid(0) in storageClass and pod fsgroup(1000) are not equal\"\n2043003 - [IPI on Alibabacloud] \u0027destroy cluster\u0027 of a failed installation (bug2041694) stuck after \u0027stage=Nat gateways\u0027\n2043042 - [Serial] [sig-auth][Feature:OAuthServer] [RequestHeaders] [IdP] test RequestHeaders IdP [Suite:openshift/conformance/serial]\n2043043 - Cluster Autoscaler should use K8s 1.23 dependencies\n2043064 - Topology performance: Unnecessary rerenderings in topology nodes (unchanged mobx props)\n2043078 - Favorite system projects not visible in the project selector after toggling \"Show default projects\". \n2043117 - Recommended operators links are erroneously treated as external\n2043130 - Update CSI sidecars to the latest release for 4.10\n2043234 - Missing validation when creating several BGPPeers with the same peerAddress\n2043240 - Sync openshift/descheduler with sigs.k8s.io/descheduler\n2043254 - crio does not bind the security profiles directory\n2043296 - Ignition fails when reusing existing statically-keyed LUKS volume\n2043297 - [4.10] Bootimage bump tracker\n2043316 - RHCOS VM fails to boot on Nutanix AOS\n2043446 - Rebase aws-efs-utils to the latest upstream version. \n2043556 - Add proper ci-operator configuration to ironic and ironic-agent images\n2043577 - DPU network operator\n2043651 - Fix bug with exp. backoff working correcly when setting nextCheck in vsphere operator\n2043675 - Too many machines deleted by cluster autoscaler when scaling down\n2043683 - Revert bug 2039344 Ignoring IPv6 addresses against etcd cert validation\n2043709 - Logging flags no longer being bound to command line\n2043721 - Installer bootstrap hosts using outdated kubelet containing bugs\n2043731 - [IBMCloud] terraform outputs missing for ibmcloud bootstrap and worker ips for must-gather\n2043759 - Bump cluster-ingress-operator to k8s.io/api 1.23\n2043780 - Bump router to k8s.io/api 1.23\n2043787 - Bump cluster-dns-operator to k8s.io/api 1.23\n2043801 - Bump CoreDNS to k8s.io/api 1.23\n2043802 - EgressIP stopped working after single egressIP for a netnamespace is switched to the other node of HA pair after the first egress node is shutdown\n2043961 - [OVN-K] If pod creation fails, retry doesn\u0027t work as expected. \n2044201 - Templates golden image parameters names should be supported\n2044244 - Builds are failing after upgrading the cluster with builder image [jboss-webserver-5/jws56-openjdk8-openshift-rhel8]\n2044248 - [IBMCloud][vpc.block.csi.ibm.io]Cluster common user use the storageclass without parameter \u201ccsi.storage.k8s.io/fstype\u201d create pvc,pod successfully but write data to the pod\u0027s volume failed of \"Permission denied\"\n2044303 - [ovn][cloud-network-config-controller] cloudprivateipconfigs ips were left after deleting egressip objects\n2044347 - Bump to kubernetes 1.23.3\n2044481 - collect sharedresource cluster scoped instances with must-gather\n2044496 - Unable to create hardware events subscription - failed to add finalizers\n2044628 - CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources\n2044680 - Additional libovsdb performance and resource consumption fixes\n2044704 - Observe \u003e Alerting pages should not show runbook links in 4.10\n2044717 - [e2e] improve tests for upstream test environment\n2044724 - Remove namespace column on VM list page when a project is selected\n2044745 - Upgrading cluster from 4.9 to 4.10 on Azure (ARO) causes the cloud-network-config-controller pod to CrashLoopBackOff\n2044808 - machine-config-daemon-pull.service: use `cp` instead of `cat` when extracting MCD in OKD\n2045024 - CustomNoUpgrade alerts should be ignored\n2045112 - vsphere-problem-detector has missing rbac rules for leases\n2045199 - SnapShot with Disk Hot-plug hangs\n2045561 - Cluster Autoscaler should use the same default Group value as Cluster API\n2045591 - Reconciliation of aws pod identity mutating webhook did not happen\n2045849 - Add Sprint 212 translations\n2045866 - MCO Operator pod spam \"Error creating event\" warning messages in 4.10\n2045878 - Sync upstream 1.16.0 downstream; includes hybrid helm plugin\n2045916 - [IBMCloud] Default machine profile in installer is unreliable\n2045927 - [FJ OCP4.10 Bug]: Podman failed to pull the IPA image due to the loss of proxy environment\n2046025 - [IPI on Alibabacloud] pre-configured alicloud DNS private zone is deleted after destroying cluster, please clarify\n2046137 - oc output for unknown commands is not human readable\n2046296 - When creating multiple consecutive egressIPs on GCP not all of them get assigned to the instance\n2046297 - Bump DB reconnect timeout\n2046517 - In Notification drawer, the \"Recommendations\" header shows when there isn\u0027t any recommendations\n2046597 - Observe \u003e Targets page may show the wrong service monitor is multiple monitors have the same namespace \u0026 label selectors\n2046626 - Allow setting custom metrics for Ansible-based Operators\n2046683 - [AliCloud]\"--scale-down-utilization-threshold\" doesn\u0027t work on AliCloud\n2047025 - Installation fails because of Alibaba CSI driver operator is degraded\n2047190 - Bump Alibaba CSI driver for 4.10\n2047238 - When using communities and localpreferences together, only localpreference gets applied\n2047255 - alibaba: resourceGroupID not found\n2047258 - [aws-usgov] fatal error occurred if AMI is not provided for AWS GovCloud regions\n2047317 - Update HELM OWNERS files under Dev Console\n2047455 - [IBM Cloud] Update custom image os type\n2047496 - Add image digest feature\n2047779 - do not degrade cluster if storagepolicy creation fails\n2047927 - \u0027oc get project\u0027 caused \u0027Observed a panic: cannot deep copy core.NamespacePhase\u0027 when AllRequestBodies is used\n2047929 - use lease for leader election\n2047975 - [sig-network][Feature:Router] The HAProxy router should override the route host for overridden domains with a custom value [Skipped:Disconnected] [Suite:openshift/conformance/parallel]\n2048046 - New route annotation to show another URL or hide topology URL decorator doesn\u0027t work for Knative Services\n2048048 - Application tab in User Preferences dropdown menus are too wide. \n2048050 - Topology list view items are not highlighted on keyboard navigation\n2048117 - [IBM]Shouldn\u0027t change status.storage.bucket and status.storage.resourceKeyCRN when update sepc.stroage,ibmcos with invalid value\n2048413 - Bond CNI: Failed to attach Bond NAD to pod\n2048443 - Image registry operator panics when finalizes config deletion\n2048478 - [alicloud] CCM deploys alibaba-cloud-controller-manager from quay.io/openshift/origin-*\n2048484 - SNO: cluster-policy-controller failed to start due to missing serving-cert/tls.crt\n2048598 - Web terminal view is broken\n2048836 - ovs-configure mis-detecting the ipv6 status on IPv4 only cluster causing Deployment failure\n2048891 - Topology page is crashed\n2049003 - 4.10: [IBMCloud] ibm-vpc-block-csi-node does not specify an update strategy, only resource requests, or priority class\n2049043 - Cannot create VM from template\n2049156 - \u0027oc get project\u0027 caused \u0027Observed a panic: cannot deep copy core.NamespacePhase\u0027 when AllRequestBodies is used\n2049886 - Placeholder bug for OCP 4.10.0 metadata release\n2049890 - Warning annotation for pods with cpu requests or limits on single-node OpenShift cluster without workload partitioning\n2050189 - [aws-efs-csi-driver] Merge upstream changes since v1.3.2\n2050190 - [aws-ebs-csi-driver] Merge upstream changes since v1.2.0\n2050227 - Installation on PSI fails with: \u0027openstack platform does not have the required standard-attr-tag network extension\u0027\n2050247 - Failing test in periodics: [sig-network] Services should respect internalTrafficPolicy=Local Pod and Node, to Pod (hostNetwork: true) [Feature:ServiceInternalTrafficPolicy] [Skipped:Network/OVNKubernetes] [Suite:openshift/conformance/parallel] [Suite:k8s]\n2050250 - Install fails to bootstrap, complaining about DefragControllerDegraded and sad members\n2050310 - ContainerCreateError when trying to launch large (\u003e500) numbers of pods across nodes\n2050370 - alert data for burn budget needs to be updated to prevent regression\n2050393 - ZTP missing support for local image registry and custom machine config\n2050557 - Can not push images to image-registry when enabling KMS encryption in AlibabaCloud\n2050737 - Remove metrics and events for master port offsets\n2050801 - Vsphere upi tries to access vsphere during manifests generation phase\n2050883 - Logger object in LSO does not log source location accurately\n2051692 - co/image-registry is degrade because ImagePrunerDegraded: Job has reached the specified backoff limit\n2052062 - Whereabouts should implement client-go 1.22+\n2052125 - [4.10] Crio appears to be coredumping in some scenarios\n2052210 - [aws-c2s] kube-apiserver crashloops due to missing cloud config\n2052339 - Failing webhooks will block an upgrade to 4.10 mid-way through the upgrade. \n2052458 - [IBM Cloud] ibm-vpc-block-csi-controller does not specify an update strategy, priority class, or only resource requests\n2052598 - kube-scheduler should use configmap lease\n2052599 - kube-controller-manger should use configmap lease\n2052600 - Failed to scaleup RHEL machine against OVN cluster due to jq tool is required by configure-ovs.sh\n2052609 - [vSphere CSI driver Operator] RWX volumes counts metrics `vsphere_rwx_volumes_total` not valid\n2052611 - MetalLB: BGPPeer object does not have ability to set ebgpMultiHop\n2052612 - MetalLB: Webhook Validation: Two BGPPeers instances can have different router ID set. \n2052644 - Infinite OAuth redirect loop post-upgrade to 4.10.0-rc.1\n2052666 - [4.10.z] change gitmodules to rhcos-4.10 branch\n2052756 - [4.10] PVs are not being cleaned up after PVC deletion\n2053175 - oc adm catalog mirror throws \u0027missing signature key\u0027 error when using file://local/index\n2053218 - ImagePull fails with error \"unable to pull manifest from example.com/busy.box:v5 invalid reference format\"\n2053252 - Sidepanel for Connectors/workloads in topology shows invalid tabs\n2053268 - inability to detect static lifecycle failure\n2053314 - requestheader IDP test doesn\u0027t wait for cleanup, causing high failure rates\n2053323 - OpenShift-Ansible BYOH Unit Tests are Broken\n2053339 - Remove dev preview badge from IBM FlashSystem deployment windows\n2053751 - ztp-site-generate container is missing convenience entrypoint\n2053945 - [4.10] Failed to apply sriov policy on intel nics\n2054109 - Missing \"app\" label\n2054154 - RoleBinding in project without subject is causing \"Project access\" page to fail\n2054244 - Latest pipeline run should be listed on the top of the pipeline run list\n2054288 - console-master-e2e-gcp-console is broken\n2054562 - DPU network operator 4.10 branch need to sync with master\n2054897 - Unable to deploy hw-event-proxy operator\n2055193 - e2e-metal-ipi-serial-ovn-ipv6 is failing frequently\n2055358 - Summary Interval Hardcoded in PTP Operator if Set in the Global Body Instead of Command Line\n2055371 - Remove Check which enforces summary_interval must match logSyncInterval\n2055689 - [ibm]Operator storage PROGRESSING and DEGRADED is true during fresh install for ocp4.11\n2055894 - CCO mint mode will not work for Azure after sunsetting of Active Directory Graph API\n2056441 - AWS EFS CSI driver should use the trusted CA bundle when cluster proxy is configured\n2056479 - ovirt-csi-driver-node pods are crashing intermittently\n2056572 - reconcilePrecaching error: cannot list resource \"clusterserviceversions\" in API group \"operators.coreos.com\" at the cluster scope\"\n2056629 - [4.10] EFS CSI driver can\u0027t unmount volumes with \"wait: no child processes\"\n2056878 - (dummy bug) ovn-kubernetes ExternalTrafficPolicy still SNATs\n2056928 - Ingresscontroller LB scope change behaviour differs for different values of aws-load-balancer-internal annotation\n2056948 - post 1.23 rebase: regression in service-load balancer reliability\n2057438 - Service Level Agreement (SLA) always show \u0027Unknown\u0027\n2057721 - Fix Proxy support in RHACM 2.4.2\n2057724 - Image creation fails when NMstateConfig CR is empty\n2058641 - [4.10] Pod density test causing problems when using kube-burner\n2059761 - 4.9.23-s390x-machine-os-content manifest invalid when mirroring content for disconnected install\n2060610 - Broken access to public images: Unable to connect to the server: no basic auth credentials\n2060956 - service domain can\u0027t be resolved when networkpolicy is used in OCP 4.10-rc\n\n5. References:\n\nhttps://access.redhat.com/security/cve/CVE-2014-3577\nhttps://access.redhat.com/security/cve/CVE-2016-10228\nhttps://access.redhat.com/security/cve/CVE-2017-14502\nhttps://access.redhat.com/security/cve/CVE-2018-20843\nhttps://access.redhat.com/security/cve/CVE-2018-1000858\nhttps://access.redhat.com/security/cve/CVE-2019-8625\nhttps://access.redhat.com/security/cve/CVE-2019-8710\nhttps://access.redhat.com/security/cve/CVE-2019-8720\nhttps://access.redhat.com/security/cve/CVE-2019-8743\nhttps://access.redhat.com/security/cve/CVE-2019-8764\nhttps://access.redhat.com/security/cve/CVE-2019-8766\nhttps://access.redhat.com/security/cve/CVE-2019-8769\nhttps://access.redhat.com/security/cve/CVE-2019-8771\nhttps://access.redhat.com/security/cve/CVE-2019-8782\nhttps://access.redhat.com/security/cve/CVE-2019-8783\nhttps://access.redhat.com/security/cve/CVE-2019-8808\nhttps://access.redhat.com/security/cve/CVE-2019-8811\nhttps://access.redhat.com/security/cve/CVE-2019-8812\nhttps://access.redhat.com/security/cve/CVE-2019-8813\nhttps://access.redhat.com/security/cve/CVE-2019-8814\nhttps://access.redhat.com/security/cve/CVE-2019-8815\nhttps://access.redhat.com/security/cve/CVE-2019-8816\nhttps://access.redhat.com/security/cve/CVE-2019-8819\nhttps://access.redhat.com/security/cve/CVE-2019-8820\nhttps://access.redhat.com/security/cve/CVE-2019-8823\nhttps://access.redhat.com/security/cve/CVE-2019-8835\nhttps://access.redhat.com/security/cve/CVE-2019-8844\nhttps://access.redhat.com/security/cve/CVE-2019-8846\nhttps://access.redhat.com/security/cve/CVE-2019-9169\nhttps://access.redhat.com/security/cve/CVE-2019-13050\nhttps://access.redhat.com/security/cve/CVE-2019-13627\nhttps://access.redhat.com/security/cve/CVE-2019-14889\nhttps://access.redhat.com/security/cve/CVE-2019-15903\nhttps://access.redhat.com/security/cve/CVE-2019-19906\nhttps://access.redhat.com/security/cve/CVE-2019-20454\nhttps://access.redhat.com/security/cve/CVE-2019-20807\nhttps://access.redhat.com/security/cve/CVE-2019-25013\nhttps://access.redhat.com/security/cve/CVE-2020-1730\nhttps://access.redhat.com/security/cve/CVE-2020-3862\nhttps://access.redhat.com/security/cve/CVE-2020-3864\nhttps://access.redhat.com/security/cve/CVE-2020-3865\nhttps://access.redhat.com/security/cve/CVE-2020-3867\nhttps://access.redhat.com/security/cve/CVE-2020-3868\nhttps://access.redhat.com/security/cve/CVE-2020-3885\nhttps://access.redhat.com/security/cve/CVE-2020-3894\nhttps://access.redhat.com/security/cve/CVE-2020-3895\nhttps://access.redhat.com/security/cve/CVE-2020-3897\nhttps://access.redhat.com/security/cve/CVE-2020-3899\nhttps://access.redhat.com/security/cve/CVE-2020-3900\nhttps://access.redhat.com/security/cve/CVE-2020-3901\nhttps://access.redhat.com/security/cve/CVE-2020-3902\nhttps://access.redhat.com/security/cve/CVE-2020-8927\nhttps://access.redhat.com/security/cve/CVE-2020-9802\nhttps://access.redhat.com/security/cve/CVE-2020-9803\nhttps://access.redhat.com/security/cve/CVE-2020-9805\nhttps://access.redhat.com/security/cve/CVE-2020-9806\nhttps://access.redhat.com/security/cve/CVE-2020-9807\nhttps://access.redhat.com/security/cve/CVE-2020-9843\nhttps://access.redhat.com/security/cve/CVE-2020-9850\nhttps://access.redhat.com/security/cve/CVE-2020-9862\nhttps://access.redhat.com/security/cve/CVE-2020-9893\nhttps://access.redhat.com/security/cve/CVE-2020-9894\nhttps://access.redhat.com/security/cve/CVE-2020-9895\nhttps://access.redhat.com/security/cve/CVE-2020-9915\nhttps://access.redhat.com/security/cve/CVE-2020-9925\nhttps://access.redhat.com/security/cve/CVE-2020-9952\nhttps://access.redhat.com/security/cve/CVE-2020-10018\nhttps://access.redhat.com/security/cve/CVE-2020-11793\nhttps://access.redhat.com/security/cve/CVE-2020-13434\nhttps://access.redhat.com/security/cve/CVE-2020-14391\nhttps://access.redhat.com/security/cve/CVE-2020-15358\nhttps://access.redhat.com/security/cve/CVE-2020-15503\nhttps://access.redhat.com/security/cve/CVE-2020-25660\nhttps://access.redhat.com/security/cve/CVE-2020-25677\nhttps://access.redhat.com/security/cve/CVE-2020-27618\nhttps://access.redhat.com/security/cve/CVE-2020-27781\nhttps://access.redhat.com/security/cve/CVE-2020-29361\nhttps://access.redhat.com/security/cve/CVE-2020-29362\nhttps://access.redhat.com/security/cve/CVE-2020-29363\nhttps://access.redhat.com/security/cve/CVE-2021-3121\nhttps://access.redhat.com/security/cve/CVE-2021-3326\nhttps://access.redhat.com/security/cve/CVE-2021-3449\nhttps://access.redhat.com/security/cve/CVE-2021-3450\nhttps://access.redhat.com/security/cve/CVE-2021-3516\nhttps://access.redhat.com/security/cve/CVE-2021-3517\nhttps://access.redhat.com/security/cve/CVE-2021-3518\nhttps://access.redhat.com/security/cve/CVE-2021-3520\nhttps://access.redhat.com/security/cve/CVE-2021-3521\nhttps://access.redhat.com/security/cve/CVE-2021-3537\nhttps://access.redhat.com/security/cve/CVE-2021-3541\nhttps://access.redhat.com/security/cve/CVE-2021-3733\nhttps://access.redhat.com/security/cve/CVE-2021-3749\nhttps://access.redhat.com/security/cve/CVE-2021-20305\nhttps://access.redhat.com/security/cve/CVE-2021-21684\nhttps://access.redhat.com/security/cve/CVE-2021-22946\nhttps://access.redhat.com/security/cve/CVE-2021-22947\nhttps://access.redhat.com/security/cve/CVE-2021-25215\nhttps://access.redhat.com/security/cve/CVE-2021-27218\nhttps://access.redhat.com/security/cve/CVE-2021-30666\nhttps://access.redhat.com/security/cve/CVE-2021-30761\nhttps://access.redhat.com/security/cve/CVE-2021-30762\nhttps://access.redhat.com/security/cve/CVE-2021-33928\nhttps://access.redhat.com/security/cve/CVE-2021-33929\nhttps://access.redhat.com/security/cve/CVE-2021-33930\nhttps://access.redhat.com/security/cve/CVE-2021-33938\nhttps://access.redhat.com/security/cve/CVE-2021-36222\nhttps://access.redhat.com/security/cve/CVE-2021-37750\nhttps://access.redhat.com/security/cve/CVE-2021-39226\nhttps://access.redhat.com/security/cve/CVE-2021-41190\nhttps://access.redhat.com/security/cve/CVE-2021-43813\nhttps://access.redhat.com/security/cve/CVE-2021-44716\nhttps://access.redhat.com/security/cve/CVE-2021-44717\nhttps://access.redhat.com/security/cve/CVE-2022-0532\nhttps://access.redhat.com/security/cve/CVE-2022-21673\nhttps://access.redhat.com/security/cve/CVE-2022-24407\nhttps://access.redhat.com/security/updates/classification/#moderate\n\n6. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2022 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYipqONzjgjWX9erEAQjQcBAAgWTjA6Q2NgqfVf63ZpJF1jPurZLPqxDL\n0in/5+/wqWaiQ6yk7wM3YBZgviyKnAMCVdrLsaR7R77BvfJcTE3W/fzogxpp6Rne\neGT1PTgQRecrSIn+WG4gGSteavTULWOIoPvUiNpiy3Y7fFgjFdah+Nyx3Xd+xehM\nCEswylOd6Hr03KZ1tS3XL3kGL2botha48Yls7FzDFbNcy6TBAuycmQZifKu8mHaF\naDAupVJinDnnVgACeS6CnZTAD+Vrx5W7NIisteXv4x5Hy+jBIUHr8Yge3oxYoFnC\nY/XmuOw2KilLZuqFe+KHig45qT+FmNU8E1egcGpNWvmS8hGZfiG1jEQAqDPbZHxp\nsQAQZLQyz3TvXa29vp4QcsUuMxndIOi+QaK75JmqE06MqMIlFDYpr6eQOIgIZvFO\nRDZU/qvBjh56ypInoqInBf8KOQMy6eO+r6nFbMGcAfucXmz0EVcSP1oFHAoA1nWN\nrs1Qz/SO4CvdPERxcr1MLuBLggZ6iqGmHKk5IN0SwcndBHaVJ3j/LBv9m7wBYVry\nbSvojBDYx5ricbTwB5sGzu7oH5yVl813FA9cjkFpEhBiMtTfI+DKC8ssoRYNHd5Z\n7gLW6KWPUIDuCIiiioPZAJMyvJ0IMrNDoQ0lhqPeV7PFdlRhT95M/DagUZOpPVuT\nb5PUYUBIZLc=\n=GUDA\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. Description:\n\nRed Hat Advanced Cluster Management for Kubernetes 2.1.6 images\n\nRed Hat Advanced Cluster Management for Kubernetes provides the\ncapabilities to address common challenges that administrators and site\nreliability engineers face as they work across a range of public and\nprivate cloud environments. Clusters and applications are all visible and\nmanaged from a single console\u2014with security policy built in. \n\nBug fixes:\n\n* RHACM 2.1.6 images (BZ#1940581)\n\n* When generating the import cluster string, it can include unescaped\ncharacters (BZ#1934184)\n\n3. Bugs fixed (https://bugzilla.redhat.com/):\n\n1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash\n1929338 - CVE-2020-35149 mquery: Code injection via merge or clone operation\n1934184 - When generating the import cluster string, it can include unescaped characters\n1940581 - RHACM 2.1.6 images\n\n5. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. This software, such as Apache HTTP Server, is\ncommon to multiple JBoss middleware products, and is packaged under Red Hat\nJBoss Core Services to allow for faster distribution of updates, and for a\nmore consistent update experience. \n\nThis release adds the new Apache HTTP Server 2.4.37 Service Pack 7 packages\nthat are part of the JBoss Core Services offering. Solution:\n\nBefore applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on. \n\nThe References section of this erratum contains a download link for the\nupdate. You must be logged in to download the update. Bugs fixed (https://bugzilla.redhat.com/):\n\n1941547 - CVE-2021-3450 openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT\n1941554 - CVE-2021-3449 openssl: NULL pointer dereference in signature_algorithms processing\n\n5. It is comprised of the Apache\nHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector\n(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat\nNative library",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-3450"
},
{
"db": "VULHUB",
"id": "VHN-388430"
},
{
"db": "VULMON",
"id": "CVE-2021-3450"
},
{
"db": "PACKETSTORM",
"id": "169659"
},
{
"db": "PACKETSTORM",
"id": "162699"
},
{
"db": "PACKETSTORM",
"id": "163209"
},
{
"db": "PACKETSTORM",
"id": "166279"
},
{
"db": "PACKETSTORM",
"id": "162183"
},
{
"db": "PACKETSTORM",
"id": "162337"
},
{
"db": "PACKETSTORM",
"id": "162196"
},
{
"db": "PACKETSTORM",
"id": "162197"
},
{
"db": "PACKETSTORM",
"id": "162201"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-3450",
"trust": 2.1
},
{
"db": "SIEMENS",
"id": "SSA-389290",
"trust": 1.2
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2021/03/28/3",
"trust": 1.2
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2021/03/27/2",
"trust": 1.2
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2021/03/28/4",
"trust": 1.2
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2021/03/27/1",
"trust": 1.2
},
{
"db": "TENABLE",
"id": "TNS-2021-05",
"trust": 1.2
},
{
"db": "TENABLE",
"id": "TNS-2021-09",
"trust": 1.2
},
{
"db": "TENABLE",
"id": "TNS-2021-08",
"trust": 1.2
},
{
"db": "PULSESECURE",
"id": "SA44845",
"trust": 1.2
},
{
"db": "MCAFEE",
"id": "SB10356",
"trust": 1.2
},
{
"db": "PACKETSTORM",
"id": "162337",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "162197",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "162196",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "162201",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "162183",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "162699",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "162151",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "162189",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "162383",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "163257",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "162172",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "162307",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "162200",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "162013",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "162041",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-388430",
"trust": 0.1
},
{
"db": "ICS CERT",
"id": "ICSA-22-069-09",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2021-3450",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "169659",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "163209",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "166279",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-388430"
},
{
"db": "VULMON",
"id": "CVE-2021-3450"
},
{
"db": "PACKETSTORM",
"id": "169659"
},
{
"db": "PACKETSTORM",
"id": "162699"
},
{
"db": "PACKETSTORM",
"id": "163209"
},
{
"db": "PACKETSTORM",
"id": "166279"
},
{
"db": "PACKETSTORM",
"id": "162183"
},
{
"db": "PACKETSTORM",
"id": "162337"
},
{
"db": "PACKETSTORM",
"id": "162196"
},
{
"db": "PACKETSTORM",
"id": "162197"
},
{
"db": "PACKETSTORM",
"id": "162201"
},
{
"db": "NVD",
"id": "CVE-2021-3450"
}
]
},
"id": "VAR-202103-1463",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-388430"
}
],
"trust": 0.430409355
},
"last_update_date": "2024-11-29T19:36:24.616000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "The Register",
"trust": 0.2,
"url": "https://www.theregister.co.uk/2021/03/25/openssl_bug_fix/"
},
{
"title": "Red Hat: CVE-2021-3450",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2021-3450"
},
{
"title": "IBM: Security Bulletin: OpenSSL Vulnerabilities Affect IBM Sterling Connect:Express for UNIX (CVE-2021-3449, CVE-2021-3450)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=084930e972e3fa390ca483e019684fa8"
},
{
"title": "Arch Linux Advisories: [ASA-202103-10] openssl: multiple issues",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-202103-10"
},
{
"title": "Amazon Linux 2: ALAS2-2021-1622",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2-2021-1622"
},
{
"title": "Arch Linux Issues: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2021-3450 log"
},
{
"title": "Cisco: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2021",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts\u0026qid=cisco-sa-openssl-2021-GHY28dJd"
},
{
"title": "Tenable Security Advisories: [R1] Nessus 8.13.2 Fixes Multiple Third-party Vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories\u0026qid=TNS-2021-05"
},
{
"title": "Hitachi Security Advisories: Multiple Vulnerabilities in Hitachi Ops Center Common Services",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories\u0026qid=hitachi-sec-2021-117"
},
{
"title": "Tenable Security Advisories: [R1] Nessus Network Monitor 5.13.1 Fixes Multiple Third-party Vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories\u0026qid=TNS-2021-09"
},
{
"title": "Hitachi Security Advisories: Multiple Vulnerabilities in Hitachi Ops Center Analyzer viewpoint",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories\u0026qid=hitachi-sec-2021-119"
},
{
"title": "IBM: Security Bulletin: Vulnerabilities in XStream, Java, OpenSSL, WebSphere Application Server Liberty and Node.js affect IBM Spectrum Control",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=928e1f86fc9400462623e646ce4f11d9"
},
{
"title": "Red Hat: Moderate: OpenShift Container Platform 4.10.3 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20220056 - Security Advisory"
},
{
"title": "Siemens Security Advisories: Siemens Security Advisory",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories\u0026qid=4a9822530e6b610875f83ffc10e02aba"
},
{
"title": "Siemens Security Advisories: Siemens Security Advisory",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories\u0026qid=ec6577109e640dac19a6ddb978afe82d"
},
{
"title": "yr_of_the_jellyfish",
"trust": 0.1,
"url": "https://github.com/rnbochsr/yr_of_the_jellyfish "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/tianocore-docs/ThirdPartySecurityAdvisories "
},
{
"title": "tekton-image-scan-trivy",
"trust": 0.1,
"url": "https://github.com/vinamra28/tekton-image-scan-trivy "
},
{
"title": "TASSL-1.1.1k",
"trust": 0.1,
"url": "https://github.com/jntass/TASSL-1.1.1k "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/scholarnishu/Trivy-by-AquaSecurity "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/teresaweber685/book_list "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/isgo-golgo13/gokit-gorillakit-enginesvc "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/fredrkl/trivy-demo "
},
{
"title": "BleepingComputer",
"trust": 0.1,
"url": "https://www.bleepingcomputer.com/news/security/openssl-fixes-severe-dos-certificate-validation-vulnerabilities/"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2021-3450"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-295",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-388430"
},
{
"db": "NVD",
"id": "CVE-2021-3450"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.3,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-openssl-2021-ghy28djd"
},
{
"trust": 1.3,
"url": "https://www.openssl.org/news/secadv/20210325.txt"
},
{
"trust": 1.2,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"trust": 1.2,
"url": "https://kb.pulsesecure.net/articles/pulse_security_advisories/sa44845"
},
{
"trust": 1.2,
"url": "https://psirt.global.sonicwall.com/vuln-detail/snwlid-2021-0013"
},
{
"trust": 1.2,
"url": "https://security.netapp.com/advisory/ntap-20210326-0006/"
},
{
"trust": 1.2,
"url": "https://www.tenable.com/security/tns-2021-05"
},
{
"trust": 1.2,
"url": "https://www.tenable.com/security/tns-2021-08"
},
{
"trust": 1.2,
"url": "https://www.tenable.com/security/tns-2021-09"
},
{
"trust": 1.2,
"url": "https://security.gentoo.org/glsa/202103-03"
},
{
"trust": 1.2,
"url": "https://mta.openssl.org/pipermail/openssl-announce/2021-march/000198.html"
},
{
"trust": 1.2,
"url": "https://security.freebsd.org/advisories/freebsd-sa-21:07.openssl.asc"
},
{
"trust": 1.2,
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"trust": 1.2,
"url": "https://www.oracle.com/security-alerts/cpuapr2021.html"
},
{
"trust": 1.2,
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"trust": 1.2,
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"trust": 1.2,
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"trust": 1.2,
"url": "http://www.openwall.com/lists/oss-security/2021/03/27/1"
},
{
"trust": 1.2,
"url": "http://www.openwall.com/lists/oss-security/2021/03/27/2"
},
{
"trust": 1.2,
"url": "http://www.openwall.com/lists/oss-security/2021/03/28/3"
},
{
"trust": 1.2,
"url": "http://www.openwall.com/lists/oss-security/2021/03/28/4"
},
{
"trust": 1.1,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10356"
},
{
"trust": 1.1,
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3ba=commitdiff%3bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b"
},
{
"trust": 1.1,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ccbfllvqvilivgzmbjl3ixzgkwqisynp/"
},
{
"trust": 0.9,
"url": "https://access.redhat.com/security/cve/cve-2021-3450"
},
{
"trust": 0.8,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2021-3449"
},
{
"trust": 0.8,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3449"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3450"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2021-20305"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-25678"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-25678"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20305"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-3139"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-3528"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-15358"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-14502"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-13434"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-29362"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2017-14502"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-10228"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-9169"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-25013"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-29361"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-3326"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-25013"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-8927"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-29363"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2016-10228"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-27618"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-3121"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.1,
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b"
},
{
"trust": 0.1,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026amp;id=sb10356"
},
{
"trust": 0.1,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ccbfllvqvilivgzmbjl3ixzgkwqisynp/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/295.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-069-09"
},
{
"trust": 0.1,
"url": "https://www.openssl.org/support/contracts.html"
},
{
"trust": 0.1,
"url": "https://www.openssl.org/policies/secpolicy.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-7774"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:2041"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-7774"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-7608"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-26289"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3139"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-26160"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-7608"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-28362"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3114"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-28362"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3528"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-8565"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-26160"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-8565"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3114"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_openshift_container_s"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-26289"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-8286"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-26116"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:2479"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-28196"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15358"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23240"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-27618"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-13543"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-26137"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9951"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23239"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13776"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-36242"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-3842"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-13776"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-24977"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-8231"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-8231"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-27619"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-24977"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9948"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-13012"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13434"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-8285"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-25659"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-14866"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-26116"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14866"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-13584"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-26137"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13543"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-36242"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13584"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27783"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-28196"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-25659"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-27783"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27619"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9983"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3177"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-9169"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-29362"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-2708"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23336"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-3842"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-13012"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-2708"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-29363"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-8284"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-29361"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-13050"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9925"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9802"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-8771"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30762"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33938"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-8783"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9895"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8625"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-44716"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-8812"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8812"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3899"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8819"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-43813"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3867"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20454"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8720"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9893"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33930"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-8782"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8808"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3902"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-24407"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-25215"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3900"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30761"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33928"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-8743"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3537"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9805"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-19906"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8820"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9807"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8769"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8710"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-37750"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8813"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9850"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-8710"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27781"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8811"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-8769"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:0055"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-22947"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-27218"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9803"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-8764"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9862"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2014-3577"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-3577"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3749"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3885"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-15503"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20807"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-41190"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-10018"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14889"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-25660"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8835"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8764"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3733"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8844"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3865"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-1730"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3864"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-19906"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3520"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21684"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-13627"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-14391"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3541"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3862"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:0056"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-8811"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3901"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-39226"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8823"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3518"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-8808"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-1000858"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-15903"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3895"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-44717"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11793"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-1000858"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-20454"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-20843"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-0532"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-8720"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9894"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8816"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9843"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-13627"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8771"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-13050"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3897"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9806"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8814"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-14889"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-20843"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8743"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33929"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9915"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-36222"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8815"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-8813"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-8625"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-8766"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8783"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-20807"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3516"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9952"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3517"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-22946"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-21673"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-15903"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8766"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3868"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8846"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3894"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-25677"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30666"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8782"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3521"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:1196"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-27363"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20218"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-20218"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3121"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3347"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-28374"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:1369"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-27364"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-35149"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-26708"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-0466"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27152"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-27365"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-35149"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-27363"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-27152"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3347"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-14040"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-27365"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-0466"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-27364"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14040"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-28374"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-26708"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:1199"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:1200"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=core.service.apachehttp\u0026downloadtype=securitypatches\u0026version=2.4.37"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:1202"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-388430"
},
{
"db": "VULMON",
"id": "CVE-2021-3450"
},
{
"db": "PACKETSTORM",
"id": "169659"
},
{
"db": "PACKETSTORM",
"id": "162699"
},
{
"db": "PACKETSTORM",
"id": "163209"
},
{
"db": "PACKETSTORM",
"id": "166279"
},
{
"db": "PACKETSTORM",
"id": "162183"
},
{
"db": "PACKETSTORM",
"id": "162337"
},
{
"db": "PACKETSTORM",
"id": "162196"
},
{
"db": "PACKETSTORM",
"id": "162197"
},
{
"db": "PACKETSTORM",
"id": "162201"
},
{
"db": "NVD",
"id": "CVE-2021-3450"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-388430"
},
{
"db": "VULMON",
"id": "CVE-2021-3450"
},
{
"db": "PACKETSTORM",
"id": "169659"
},
{
"db": "PACKETSTORM",
"id": "162699"
},
{
"db": "PACKETSTORM",
"id": "163209"
},
{
"db": "PACKETSTORM",
"id": "166279"
},
{
"db": "PACKETSTORM",
"id": "162183"
},
{
"db": "PACKETSTORM",
"id": "162337"
},
{
"db": "PACKETSTORM",
"id": "162196"
},
{
"db": "PACKETSTORM",
"id": "162197"
},
{
"db": "PACKETSTORM",
"id": "162201"
},
{
"db": "NVD",
"id": "CVE-2021-3450"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-03-25T00:00:00",
"db": "VULHUB",
"id": "VHN-388430"
},
{
"date": "2021-03-25T00:00:00",
"db": "VULMON",
"id": "CVE-2021-3450"
},
{
"date": "2021-03-25T12:12:12",
"db": "PACKETSTORM",
"id": "169659"
},
{
"date": "2021-05-19T14:22:15",
"db": "PACKETSTORM",
"id": "162699"
},
{
"date": "2021-06-17T18:34:10",
"db": "PACKETSTORM",
"id": "163209"
},
{
"date": "2022-03-11T16:38:38",
"db": "PACKETSTORM",
"id": "166279"
},
{
"date": "2021-04-14T16:40:32",
"db": "PACKETSTORM",
"id": "162183"
},
{
"date": "2021-04-26T19:21:56",
"db": "PACKETSTORM",
"id": "162337"
},
{
"date": "2021-04-15T13:49:54",
"db": "PACKETSTORM",
"id": "162196"
},
{
"date": "2021-04-15T13:50:04",
"db": "PACKETSTORM",
"id": "162197"
},
{
"date": "2021-04-15T13:50:39",
"db": "PACKETSTORM",
"id": "162201"
},
{
"date": "2021-03-25T15:15:13.560000",
"db": "NVD",
"id": "CVE-2021-3450"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-02-28T00:00:00",
"db": "VULHUB",
"id": "VHN-388430"
},
{
"date": "2023-11-07T00:00:00",
"db": "VULMON",
"id": "CVE-2021-3450"
},
{
"date": "2024-11-21T06:21:33.633000",
"db": "NVD",
"id": "CVE-2021-3450"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenSSL Security Advisory 20210325",
"sources": [
{
"db": "PACKETSTORM",
"id": "169659"
}
],
"trust": 0.1
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "xss",
"sources": [
{
"db": "PACKETSTORM",
"id": "163209"
}
],
"trust": 0.1
}
}
var-202109-1805
Vulnerability from variot
Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier. The server is fast, reliable and extensible through a simple API. No detailed vulnerability details are currently provided. 7) - noarch, x86_64
Bug Fix(es):
- proxy rewrite to unix socket fails with CVE-2021-40438 fix (BZ#2022319)
Additional changes:
- To fix CVE-2022-29404, the default value for the "LimitRequestBody" directive in the Apache HTTP Server has been changed from 0 (unlimited) to 1 GiB.
On systems where the value of "LimitRequestBody" is not explicitly specified in an httpd configuration file, updating the httpd package sets "LimitRequestBody" to the default value of 1 GiB. As a consequence, if the total size of the HTTP request body exceeds this 1 GiB default limit, httpd returns the 413 Request Entity Too Large error code.
If the new default allowed size of an HTTP request message body is insufficient for your use case, update your httpd configuration files within the respective context (server, per-directory, per-file, or per-location) and set your preferred limit in bytes. For example, to set a new 2 GiB limit, use:
LimitRequestBody 2147483648
Systems already configured to use any explicit value for the "LimitRequestBody" directive are unaffected by this change.
For the oldstable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u6.
For the stable distribution (bullseye), these problems have been fixed in version 2.4.51-1~deb11u1.
We recommend that you upgrade your apache2 packages.
For the detailed security status of apache2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/apache2
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmFgr44ACgkQEMKTtsN8 TjbophAAiZ+fhF2r8BUbQkL8BhpfqjA+hVsp9WEMTn8Gq6kiW0wLvK3jWPM301Ou D4gHqKmFPmYNC1KBOyk/lJdxyD7iTUweUyLi3WXzxhIDMx0kxkRw1oXlyCHzIqSJ M277bgk32h2cDCbsXjrN/8agKPcKgfwDqiyf/igfEq6V8OB2zVvJPKVFq45n54+q 4FPXSyx1g2u5ewSeXbU2uHDej6Qborui4osDdbwx8CT6aETi0cIXJ8RbXF3PUCHG 5DzZagnRq6GumPsl01jcPu7b9Ck8MlkxMSG3FRsSIJVkwpsQ2C34ywIJkFlzUZZh jhdVUrfbyfLpSdcPcipAAjl9I6gDqa9SFdMRK7ixCpQ6iTiVeDZdJ8pA4jnSweNQ THik07di9R0juX0p7peQiIyBKrEf7Y3WSvLOn0SBKXvZnzc/72rH2nP5FclsgCsV TWxptziGridC43KB8/tDJAAOXVF2lzylzF70V/UGTNo1jk9w3/p6btU1iuzKspyY Y4aPZla3DImI8mezrgFrGYNg7bZYLKuJyGDADKih2sUQpzmDZ6MJxKAE3NLRWyQa 7cCJdoNR9yVqytEw1Y/ZRXAXWfMb3Y1ts2EqR8hzLQgMYb0JC58cLMG3T0RgyPoO A4CTIoYpK1WnsykAE8M4XFrnOW3lrtse6T8N/dTVMuodElAEhc0= =/At6 -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: httpd security update Advisory ID: RHSA-2022:0143-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:0143 Issue date: 2022-01-17 CVE Names: CVE-2021-26691 CVE-2021-34798 CVE-2021-39275 CVE-2021-44790 ==================================================================== 1. Summary:
An update for httpd is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
Security Fix(es):
-
httpd: mod_lua: Possible buffer overflow when parsing multipart content (CVE-2021-44790)
-
httpd: mod_session: Heap overflow via a crafted SessionHeader value (CVE-2021-26691)
-
httpd: NULL pointer dereference via malformed requests (CVE-2021-34798)
-
httpd: Out-of-bounds write in ap_escape_quotes() via malicious input (CVE-2021-39275)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon will be restarted automatically.
- Bugs fixed (https://bugzilla.redhat.com/):
1966732 - CVE-2021-26691 httpd: mod_session: Heap overflow via a crafted SessionHeader value 2005119 - CVE-2021-39275 httpd: Out-of-bounds write in ap_escape_quotes() via malicious input 2005128 - CVE-2021-34798 httpd: NULL pointer dereference via malformed requests 2034674 - CVE-2021-44790 httpd: mod_lua: Possible buffer overflow when parsing multipart content
- Package List:
Red Hat Enterprise Linux Client Optional (v. 7):
Source: httpd-2.4.6-97.el7_9.4.src.rpm
noarch: httpd-manual-2.4.6-97.el7_9.4.noarch.rpm
x86_64: httpd-2.4.6-97.el7_9.4.x86_64.rpm httpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm httpd-devel-2.4.6-97.el7_9.4.x86_64.rpm httpd-tools-2.4.6-97.el7_9.4.x86_64.rpm mod_ldap-2.4.6-97.el7_9.4.x86_64.rpm mod_proxy_html-2.4.6-97.el7_9.4.x86_64.rpm mod_session-2.4.6-97.el7_9.4.x86_64.rpm mod_ssl-2.4.6-97.el7_9.4.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
Source: httpd-2.4.6-97.el7_9.4.src.rpm
noarch: httpd-manual-2.4.6-97.el7_9.4.noarch.rpm
x86_64: httpd-2.4.6-97.el7_9.4.x86_64.rpm httpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm httpd-devel-2.4.6-97.el7_9.4.x86_64.rpm httpd-tools-2.4.6-97.el7_9.4.x86_64.rpm mod_ldap-2.4.6-97.el7_9.4.x86_64.rpm mod_proxy_html-2.4.6-97.el7_9.4.x86_64.rpm mod_session-2.4.6-97.el7_9.4.x86_64.rpm mod_ssl-2.4.6-97.el7_9.4.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: httpd-2.4.6-97.el7_9.4.src.rpm
noarch: httpd-manual-2.4.6-97.el7_9.4.noarch.rpm
ppc64: httpd-2.4.6-97.el7_9.4.ppc64.rpm httpd-debuginfo-2.4.6-97.el7_9.4.ppc64.rpm httpd-devel-2.4.6-97.el7_9.4.ppc64.rpm httpd-tools-2.4.6-97.el7_9.4.ppc64.rpm mod_session-2.4.6-97.el7_9.4.ppc64.rpm mod_ssl-2.4.6-97.el7_9.4.ppc64.rpm
ppc64le: httpd-2.4.6-97.el7_9.4.ppc64le.rpm httpd-debuginfo-2.4.6-97.el7_9.4.ppc64le.rpm httpd-devel-2.4.6-97.el7_9.4.ppc64le.rpm httpd-tools-2.4.6-97.el7_9.4.ppc64le.rpm mod_session-2.4.6-97.el7_9.4.ppc64le.rpm mod_ssl-2.4.6-97.el7_9.4.ppc64le.rpm
s390x: httpd-2.4.6-97.el7_9.4.s390x.rpm httpd-debuginfo-2.4.6-97.el7_9.4.s390x.rpm httpd-devel-2.4.6-97.el7_9.4.s390x.rpm httpd-tools-2.4.6-97.el7_9.4.s390x.rpm mod_session-2.4.6-97.el7_9.4.s390x.rpm mod_ssl-2.4.6-97.el7_9.4.s390x.rpm
x86_64: httpd-2.4.6-97.el7_9.4.x86_64.rpm httpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm httpd-devel-2.4.6-97.el7_9.4.x86_64.rpm httpd-tools-2.4.6-97.el7_9.4.x86_64.rpm mod_session-2.4.6-97.el7_9.4.x86_64.rpm mod_ssl-2.4.6-97.el7_9.4.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64: httpd-debuginfo-2.4.6-97.el7_9.4.ppc64.rpm mod_ldap-2.4.6-97.el7_9.4.ppc64.rpm mod_proxy_html-2.4.6-97.el7_9.4.ppc64.rpm
ppc64le: httpd-debuginfo-2.4.6-97.el7_9.4.ppc64le.rpm mod_ldap-2.4.6-97.el7_9.4.ppc64le.rpm mod_proxy_html-2.4.6-97.el7_9.4.ppc64le.rpm
s390x: httpd-debuginfo-2.4.6-97.el7_9.4.s390x.rpm mod_ldap-2.4.6-97.el7_9.4.s390x.rpm mod_proxy_html-2.4.6-97.el7_9.4.s390x.rpm
x86_64: httpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm mod_ldap-2.4.6-97.el7_9.4.x86_64.rpm mod_proxy_html-2.4.6-97.el7_9.4.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: httpd-2.4.6-97.el7_9.4.src.rpm
noarch: httpd-manual-2.4.6-97.el7_9.4.noarch.rpm
x86_64: httpd-2.4.6-97.el7_9.4.x86_64.rpm httpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm httpd-devel-2.4.6-97.el7_9.4.x86_64.rpm httpd-tools-2.4.6-97.el7_9.4.x86_64.rpm mod_session-2.4.6-97.el7_9.4.x86_64.rpm mod_ssl-2.4.6-97.el7_9.4.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64: httpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm mod_ldap-2.4.6-97.el7_9.4.x86_64.rpm mod_proxy_html-2.4.6-97.el7_9.4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2021-26691 https://access.redhat.com/security/cve/CVE-2021-34798 https://access.redhat.com/security/cve/CVE-2021-39275 https://access.redhat.com/security/cve/CVE-2021-44790 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYeVdC9zjgjWX9erEAQgzNw/8CjsxUvDW64dwvpcYH/OWJhKqvD53sX+w ivf4+hhCsEVLvrjD0eTNkbeza+dcZqoR5swL0IjAGXKJ/0q/oh4/yxq2ydgvEYsY rAjts0tnynoswBaFo6eaBlcNxQroGID0uqgXkUFt37m4eetACuOSVRcZ7/sNsqBS iQF4l16vjNvKeOdKY8nSNe77Dt1/Lj41NoL6XbAZPuvaiLBqqGOY9xYfZSSmFHFq H4dB8cfMC4cWysFtnzffJ+dJdzcWNOxklwLlZe72JoAJYP59da2YuIoE2LsQRGPC Occ84zH/UZx4JWJhF7FEEALC/tizfFqu9qWr1OIDmSVTEAZ+6IZ/mDeF83+0Mrc4 AiV3oiJi7Fx4XTDUL8fim+FORaSI2IR7LK1Zjau1qCN04ayyFXwJdK/fwgIWJHon gYhyUsAj7F7At9m8cCVRP5K4jjmr0qrmsF1M1B6xqMLWlYNcWu3obJS/FbiSdwQJ 7jFdBagThGOzIle0eGk0iMZ+vRJSuaSMZ7GDA14o46KB+EkvYLe+wi6jBQXJeD6Q Oueenu2JiMvB8+dJNYrn9uQY+8WHyCVV1HMMmVo9LajA1FJRXgMIQN5ZmDMoDW73 qFV+VCOHtKPI2hC8ngZYy2RyEUhK4t3f7xmJgtoJ4/DuaGsRWL7xZPL7gLHxWnS4 5VjPyLrWg5U=TyMo -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . 8) - aarch64, noarch, ppc64le, s390x, x86_64
-
Gentoo Linux Security Advisory GLSA 202208-20
https://security.gentoo.org/
Severity: High Title: Apache HTTPD: Multiple Vulnerabilities Date: August 14, 2022 Bugs: #813429, #816399, #816864, #829722, #835131, #850622 ID: 202208-20
Synopsis
Multiple vulnerabilities have been discovered in Apache Webserver, the worst of which could result in remote code execution. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All Apache HTTPD users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/apache-2.4.54"
All Apache HTTPD tools users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/apache-tools-2.4.54"
References
[ 1 ] CVE-2021-33193 https://nvd.nist.gov/vuln/detail/CVE-2021-33193 [ 2 ] CVE-2021-34798 https://nvd.nist.gov/vuln/detail/CVE-2021-34798 [ 3 ] CVE-2021-36160 https://nvd.nist.gov/vuln/detail/CVE-2021-36160 [ 4 ] CVE-2021-39275 https://nvd.nist.gov/vuln/detail/CVE-2021-39275 [ 5 ] CVE-2021-40438 https://nvd.nist.gov/vuln/detail/CVE-2021-40438 [ 6 ] CVE-2021-41524 https://nvd.nist.gov/vuln/detail/CVE-2021-41524 [ 7 ] CVE-2021-41773 https://nvd.nist.gov/vuln/detail/CVE-2021-41773 [ 8 ] CVE-2021-42013 https://nvd.nist.gov/vuln/detail/CVE-2021-42013 [ 9 ] CVE-2021-44224 https://nvd.nist.gov/vuln/detail/CVE-2021-44224 [ 10 ] CVE-2021-44790 https://nvd.nist.gov/vuln/detail/CVE-2021-44790 [ 11 ] CVE-2022-22719 https://nvd.nist.gov/vuln/detail/CVE-2022-22719 [ 12 ] CVE-2022-22720 https://nvd.nist.gov/vuln/detail/CVE-2022-22720 [ 13 ] CVE-2022-22721 https://nvd.nist.gov/vuln/detail/CVE-2022-22721 [ 14 ] CVE-2022-23943 https://nvd.nist.gov/vuln/detail/CVE-2022-23943 [ 15 ] CVE-2022-26377 https://nvd.nist.gov/vuln/detail/CVE-2022-26377 [ 16 ] CVE-2022-28614 https://nvd.nist.gov/vuln/detail/CVE-2022-28614 [ 17 ] CVE-2022-28615 https://nvd.nist.gov/vuln/detail/CVE-2022-28615 [ 18 ] CVE-2022-29404 https://nvd.nist.gov/vuln/detail/CVE-2022-29404 [ 19 ] CVE-2022-30522 https://nvd.nist.gov/vuln/detail/CVE-2022-30522 [ 20 ] CVE-2022-30556 https://nvd.nist.gov/vuln/detail/CVE-2022-30556 [ 21 ] CVE-2022-31813 https://nvd.nist.gov/vuln/detail/CVE-2022-31813
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202208-20
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5 . ========================================================================== Ubuntu Security Notice USN-5090-3 September 28, 2021
apache2 regression
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 21.04
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
USN-5090-1 introduced a regression in Apache HTTP Server. One of the upstream fixes introduced a regression in UDS URIs. This update fixes the problem.
Original advisory details:
James Kettle discovered that the Apache HTTP Server HTTP/2 module incorrectly handled certain crafted methods. A remote attacker could possibly use this issue to perform request splitting or cache poisoning attacks. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. (CVE-2021-34798) Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly handled certain request uri-paths. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04. If the server was configured with third-party modules, a remote attacker could use this issue to cause the server to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-39275) It was discovered that the Apache mod_proxy module incorrectly handled certain request uri-paths. A remote attacker could possibly use this issue to cause the server to forward requests to arbitrary origin servers. (CVE-2021-40438)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 21.04: apache2 2.4.46-4ubuntu1.3 apache2-bin 2.4.46-4ubuntu1.3
Ubuntu 20.04 LTS: apache2 2.4.41-4ubuntu3.6 apache2-bin 2.4.41-4ubuntu3.6
Ubuntu 18.04 LTS: apache2 2.4.29-1ubuntu4.18 apache2-bin 2.4.29-1ubuntu4.18
In general, a standard system update will make all the necessary changes
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202109-1805",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "instantis enterprisetrack",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.2"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "34"
},
{
"model": "clustered data ontap",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "communications cloud native core network function cloud native environment",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "1.10.0"
},
{
"model": "storagegrid",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.3.0"
},
{
"model": "sinema remote connect server",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "3.1"
},
{
"model": "http server",
"scope": "lte",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.48"
},
{
"model": "peoplesoft enterprise peopletools",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.58"
},
{
"model": "ruggedcom nms",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "sinec nms",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "sinema server",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "14.0"
},
{
"model": "instantis enterprisetrack",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.3"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.4.0"
},
{
"model": "instantis enterprisetrack",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.1"
},
{
"model": "zfs storage appliance kit",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.8"
},
{
"model": "enterprise manager base platform",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "13.5.0.0"
},
{
"model": "enterprise manager base platform",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "13.4.0.0"
},
{
"model": "cloud backup",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "tenable.sc",
"scope": "lte",
"trust": 1.0,
"vendor": "tenable",
"version": "5.19.1"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "35"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "11.0"
},
{
"model": "brocade fabric operating system",
"scope": "eq",
"trust": 1.0,
"vendor": "broadcom",
"version": null
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "fedora",
"scope": null,
"trust": 0.8,
"vendor": "fedora",
"version": null
},
{
"model": "http server",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "http server",
"scope": "lte",
"trust": 0.6,
"vendor": "apache",
"version": "\u003c=2.4.48"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03223"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002671"
},
{
"db": "NVD",
"id": "CVE-2021-34798"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Siemens reported these vulnerabilities to CISA.",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202109-1109"
}
],
"trust": 0.6
},
"cve": "CVE-2021-34798",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2021-34798",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CNVD-2022-03223",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "VHN-395042",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2021-34798",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2021-34798",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-34798",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2021-34798",
"trust": 0.8,
"value": "High"
},
{
"author": "CNVD",
"id": "CNVD-2022-03223",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202109-1109",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-395042",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2021-34798",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03223"
},
{
"db": "VULHUB",
"id": "VHN-395042"
},
{
"db": "VULMON",
"id": "CVE-2021-34798"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002671"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1109"
},
{
"db": "NVD",
"id": "CVE-2021-34798"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier. The server is fast, reliable and extensible through a simple API. No detailed vulnerability details are currently provided. 7) - noarch, x86_64\n\n3. \n\nBug Fix(es):\n\n* proxy rewrite to unix socket fails with CVE-2021-40438 fix (BZ#2022319)\n\nAdditional changes:\n\n* To fix CVE-2022-29404, the default value for the \"LimitRequestBody\"\ndirective in the Apache HTTP Server has been changed from 0 (unlimited) to\n1 GiB. \n\nOn systems where the value of \"LimitRequestBody\" is not explicitly\nspecified in an httpd configuration file, updating the httpd package sets\n\"LimitRequestBody\" to the default value of 1 GiB. As a consequence, if the\ntotal size of the HTTP request body exceeds this 1 GiB default limit, httpd\nreturns the 413 Request Entity Too Large error code. \n\nIf the new default allowed size of an HTTP request message body is\ninsufficient for your use case, update your httpd configuration files\nwithin the respective context (server, per-directory, per-file, or\nper-location) and set your preferred limit in bytes. For example, to set a\nnew 2 GiB limit, use:\n\nLimitRequestBody 2147483648\n\nSystems already configured to use any explicit value for the\n\"LimitRequestBody\" directive are unaffected by this change. \n\nFor the oldstable distribution (buster), these problems have been fixed\nin version 2.4.38-3+deb10u6. \n\nFor the stable distribution (bullseye), these problems have been fixed in\nversion 2.4.51-1~deb11u1. \n\nWe recommend that you upgrade your apache2 packages. \n\nFor the detailed security status of apache2 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/apache2\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmFgr44ACgkQEMKTtsN8\nTjbophAAiZ+fhF2r8BUbQkL8BhpfqjA+hVsp9WEMTn8Gq6kiW0wLvK3jWPM301Ou\nD4gHqKmFPmYNC1KBOyk/lJdxyD7iTUweUyLi3WXzxhIDMx0kxkRw1oXlyCHzIqSJ\nM277bgk32h2cDCbsXjrN/8agKPcKgfwDqiyf/igfEq6V8OB2zVvJPKVFq45n54+q\n4FPXSyx1g2u5ewSeXbU2uHDej6Qborui4osDdbwx8CT6aETi0cIXJ8RbXF3PUCHG\n5DzZagnRq6GumPsl01jcPu7b9Ck8MlkxMSG3FRsSIJVkwpsQ2C34ywIJkFlzUZZh\njhdVUrfbyfLpSdcPcipAAjl9I6gDqa9SFdMRK7ixCpQ6iTiVeDZdJ8pA4jnSweNQ\nTHik07di9R0juX0p7peQiIyBKrEf7Y3WSvLOn0SBKXvZnzc/72rH2nP5FclsgCsV\nTWxptziGridC43KB8/tDJAAOXVF2lzylzF70V/UGTNo1jk9w3/p6btU1iuzKspyY\nY4aPZla3DImI8mezrgFrGYNg7bZYLKuJyGDADKih2sUQpzmDZ6MJxKAE3NLRWyQa\n7cCJdoNR9yVqytEw1Y/ZRXAXWfMb3Y1ts2EqR8hzLQgMYb0JC58cLMG3T0RgyPoO\nA4CTIoYpK1WnsykAE8M4XFrnOW3lrtse6T8N/dTVMuodElAEhc0=\n=/At6\n-----END PGP SIGNATURE-----\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Important: httpd security update\nAdvisory ID: RHSA-2022:0143-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2022:0143\nIssue date: 2022-01-17\nCVE Names: CVE-2021-26691 CVE-2021-34798 CVE-2021-39275\n CVE-2021-44790\n====================================================================\n1. Summary:\n\nAn update for httpd is now available for Red Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64\nRed Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 7) - x86_64\n\n3. \n\nSecurity Fix(es):\n\n* httpd: mod_lua: Possible buffer overflow when parsing multipart content\n(CVE-2021-44790)\n\n* httpd: mod_session: Heap overflow via a crafted SessionHeader value\n(CVE-2021-26691)\n\n* httpd: NULL pointer dereference via malformed requests (CVE-2021-34798)\n\n* httpd: Out-of-bounds write in ap_escape_quotes() via malicious input\n(CVE-2021-39275)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted\nautomatically. \n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1966732 - CVE-2021-26691 httpd: mod_session: Heap overflow via a crafted SessionHeader value\n2005119 - CVE-2021-39275 httpd: Out-of-bounds write in ap_escape_quotes() via malicious input\n2005128 - CVE-2021-34798 httpd: NULL pointer dereference via malformed requests\n2034674 - CVE-2021-44790 httpd: mod_lua: Possible buffer overflow when parsing multipart content\n\n6. Package List:\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nSource:\nhttpd-2.4.6-97.el7_9.4.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-97.el7_9.4.noarch.rpm\n\nx86_64:\nhttpd-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-devel-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-tools-2.4.6-97.el7_9.4.x86_64.rpm\nmod_ldap-2.4.6-97.el7_9.4.x86_64.rpm\nmod_proxy_html-2.4.6-97.el7_9.4.x86_64.rpm\nmod_session-2.4.6-97.el7_9.4.x86_64.rpm\nmod_ssl-2.4.6-97.el7_9.4.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nSource:\nhttpd-2.4.6-97.el7_9.4.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-97.el7_9.4.noarch.rpm\n\nx86_64:\nhttpd-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-devel-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-tools-2.4.6-97.el7_9.4.x86_64.rpm\nmod_ldap-2.4.6-97.el7_9.4.x86_64.rpm\nmod_proxy_html-2.4.6-97.el7_9.4.x86_64.rpm\nmod_session-2.4.6-97.el7_9.4.x86_64.rpm\nmod_ssl-2.4.6-97.el7_9.4.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nhttpd-2.4.6-97.el7_9.4.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-97.el7_9.4.noarch.rpm\n\nppc64:\nhttpd-2.4.6-97.el7_9.4.ppc64.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.4.ppc64.rpm\nhttpd-devel-2.4.6-97.el7_9.4.ppc64.rpm\nhttpd-tools-2.4.6-97.el7_9.4.ppc64.rpm\nmod_session-2.4.6-97.el7_9.4.ppc64.rpm\nmod_ssl-2.4.6-97.el7_9.4.ppc64.rpm\n\nppc64le:\nhttpd-2.4.6-97.el7_9.4.ppc64le.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.4.ppc64le.rpm\nhttpd-devel-2.4.6-97.el7_9.4.ppc64le.rpm\nhttpd-tools-2.4.6-97.el7_9.4.ppc64le.rpm\nmod_session-2.4.6-97.el7_9.4.ppc64le.rpm\nmod_ssl-2.4.6-97.el7_9.4.ppc64le.rpm\n\ns390x:\nhttpd-2.4.6-97.el7_9.4.s390x.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.4.s390x.rpm\nhttpd-devel-2.4.6-97.el7_9.4.s390x.rpm\nhttpd-tools-2.4.6-97.el7_9.4.s390x.rpm\nmod_session-2.4.6-97.el7_9.4.s390x.rpm\nmod_ssl-2.4.6-97.el7_9.4.s390x.rpm\n\nx86_64:\nhttpd-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-devel-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-tools-2.4.6-97.el7_9.4.x86_64.rpm\nmod_session-2.4.6-97.el7_9.4.x86_64.rpm\nmod_ssl-2.4.6-97.el7_9.4.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\nppc64:\nhttpd-debuginfo-2.4.6-97.el7_9.4.ppc64.rpm\nmod_ldap-2.4.6-97.el7_9.4.ppc64.rpm\nmod_proxy_html-2.4.6-97.el7_9.4.ppc64.rpm\n\nppc64le:\nhttpd-debuginfo-2.4.6-97.el7_9.4.ppc64le.rpm\nmod_ldap-2.4.6-97.el7_9.4.ppc64le.rpm\nmod_proxy_html-2.4.6-97.el7_9.4.ppc64le.rpm\n\ns390x:\nhttpd-debuginfo-2.4.6-97.el7_9.4.s390x.rpm\nmod_ldap-2.4.6-97.el7_9.4.s390x.rpm\nmod_proxy_html-2.4.6-97.el7_9.4.s390x.rpm\n\nx86_64:\nhttpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm\nmod_ldap-2.4.6-97.el7_9.4.x86_64.rpm\nmod_proxy_html-2.4.6-97.el7_9.4.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nhttpd-2.4.6-97.el7_9.4.src.rpm\n\nnoarch:\nhttpd-manual-2.4.6-97.el7_9.4.noarch.rpm\n\nx86_64:\nhttpd-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-devel-2.4.6-97.el7_9.4.x86_64.rpm\nhttpd-tools-2.4.6-97.el7_9.4.x86_64.rpm\nmod_session-2.4.6-97.el7_9.4.x86_64.rpm\nmod_ssl-2.4.6-97.el7_9.4.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nx86_64:\nhttpd-debuginfo-2.4.6-97.el7_9.4.x86_64.rpm\nmod_ldap-2.4.6-97.el7_9.4.x86_64.rpm\nmod_proxy_html-2.4.6-97.el7_9.4.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-26691\nhttps://access.redhat.com/security/cve/CVE-2021-34798\nhttps://access.redhat.com/security/cve/CVE-2021-39275\nhttps://access.redhat.com/security/cve/CVE-2021-44790\nhttps://access.redhat.com/security/updates/classification/#important\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2022 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYeVdC9zjgjWX9erEAQgzNw/8CjsxUvDW64dwvpcYH/OWJhKqvD53sX+w\nivf4+hhCsEVLvrjD0eTNkbeza+dcZqoR5swL0IjAGXKJ/0q/oh4/yxq2ydgvEYsY\nrAjts0tnynoswBaFo6eaBlcNxQroGID0uqgXkUFt37m4eetACuOSVRcZ7/sNsqBS\niQF4l16vjNvKeOdKY8nSNe77Dt1/Lj41NoL6XbAZPuvaiLBqqGOY9xYfZSSmFHFq\nH4dB8cfMC4cWysFtnzffJ+dJdzcWNOxklwLlZe72JoAJYP59da2YuIoE2LsQRGPC\nOcc84zH/UZx4JWJhF7FEEALC/tizfFqu9qWr1OIDmSVTEAZ+6IZ/mDeF83+0Mrc4\nAiV3oiJi7Fx4XTDUL8fim+FORaSI2IR7LK1Zjau1qCN04ayyFXwJdK/fwgIWJHon\ngYhyUsAj7F7At9m8cCVRP5K4jjmr0qrmsF1M1B6xqMLWlYNcWu3obJS/FbiSdwQJ\n7jFdBagThGOzIle0eGk0iMZ+vRJSuaSMZ7GDA14o46KB+EkvYLe+wi6jBQXJeD6Q\nOueenu2JiMvB8+dJNYrn9uQY+8WHyCVV1HMMmVo9LajA1FJRXgMIQN5ZmDMoDW73\nqFV+VCOHtKPI2hC8ngZYy2RyEUhK4t3f7xmJgtoJ4/DuaGsRWL7xZPL7gLHxWnS4\n5VjPyLrWg5U=TyMo\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. 8) - aarch64, noarch, ppc64le, s390x, x86_64\n\n3. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202208-20\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: High\n Title: Apache HTTPD: Multiple Vulnerabilities\n Date: August 14, 2022\n Bugs: #813429, #816399, #816864, #829722, #835131, #850622\n ID: 202208-20\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n=======\nMultiple vulnerabilities have been discovered in Apache Webserver, the\nworst of which could result in remote code execution. Please\nreview the CVE identifiers referenced below for details. \n\nImpact\n=====\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n=========\nThere is no known workaround at this time. \n\nResolution\n=========\nAll Apache HTTPD users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=www-servers/apache-2.4.54\"\n\nAll Apache HTTPD tools users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=app-admin/apache-tools-2.4.54\"\n\nReferences\n=========\n[ 1 ] CVE-2021-33193\n https://nvd.nist.gov/vuln/detail/CVE-2021-33193\n[ 2 ] CVE-2021-34798\n https://nvd.nist.gov/vuln/detail/CVE-2021-34798\n[ 3 ] CVE-2021-36160\n https://nvd.nist.gov/vuln/detail/CVE-2021-36160\n[ 4 ] CVE-2021-39275\n https://nvd.nist.gov/vuln/detail/CVE-2021-39275\n[ 5 ] CVE-2021-40438\n https://nvd.nist.gov/vuln/detail/CVE-2021-40438\n[ 6 ] CVE-2021-41524\n https://nvd.nist.gov/vuln/detail/CVE-2021-41524\n[ 7 ] CVE-2021-41773\n https://nvd.nist.gov/vuln/detail/CVE-2021-41773\n[ 8 ] CVE-2021-42013\n https://nvd.nist.gov/vuln/detail/CVE-2021-42013\n[ 9 ] CVE-2021-44224\n https://nvd.nist.gov/vuln/detail/CVE-2021-44224\n[ 10 ] CVE-2021-44790\n https://nvd.nist.gov/vuln/detail/CVE-2021-44790\n[ 11 ] CVE-2022-22719\n https://nvd.nist.gov/vuln/detail/CVE-2022-22719\n[ 12 ] CVE-2022-22720\n https://nvd.nist.gov/vuln/detail/CVE-2022-22720\n[ 13 ] CVE-2022-22721\n https://nvd.nist.gov/vuln/detail/CVE-2022-22721\n[ 14 ] CVE-2022-23943\n https://nvd.nist.gov/vuln/detail/CVE-2022-23943\n[ 15 ] CVE-2022-26377\n https://nvd.nist.gov/vuln/detail/CVE-2022-26377\n[ 16 ] CVE-2022-28614\n https://nvd.nist.gov/vuln/detail/CVE-2022-28614\n[ 17 ] CVE-2022-28615\n https://nvd.nist.gov/vuln/detail/CVE-2022-28615\n[ 18 ] CVE-2022-29404\n https://nvd.nist.gov/vuln/detail/CVE-2022-29404\n[ 19 ] CVE-2022-30522\n https://nvd.nist.gov/vuln/detail/CVE-2022-30522\n[ 20 ] CVE-2022-30556\n https://nvd.nist.gov/vuln/detail/CVE-2022-30556\n[ 21 ] CVE-2022-31813\n https://nvd.nist.gov/vuln/detail/CVE-2022-31813\n\nAvailability\n===========\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202208-20\n\nConcerns?\n========\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n======\nCopyright 2022 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. ==========================================================================\nUbuntu Security Notice USN-5090-3\nSeptember 28, 2021\n\napache2 regression\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 21.04\n- Ubuntu 20.04 LTS\n- Ubuntu 18.04 LTS\n\nSummary:\n\nUSN-5090-1 introduced a regression in Apache HTTP Server. One of the upstream\nfixes introduced a regression in UDS URIs. This update fixes the problem. \n\nOriginal advisory details:\n\n James Kettle discovered that the Apache HTTP Server HTTP/2 module\n incorrectly handled certain crafted methods. A remote attacker could\n possibly use this issue to perform request splitting or cache poisoning\n attacks. A remote attacker could possibly use this issue to\n cause the server to crash, resulting in a denial of service. \n (CVE-2021-34798)\n Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly\n handled certain request uri-paths. A remote attacker could possibly use\n this issue to cause the server to crash, resulting in a denial of service. \n This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04. If the server was configured with third-party modules, a remote\n attacker could use this issue to cause the server to crash, resulting in a\n denial of service, or possibly execute arbitrary code. (CVE-2021-39275)\n It was discovered that the Apache mod_proxy module incorrectly handled\n certain request uri-paths. A remote attacker could possibly use this issue\n to cause the server to forward requests to arbitrary origin servers. \n (CVE-2021-40438)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 21.04:\n apache2 2.4.46-4ubuntu1.3\n apache2-bin 2.4.46-4ubuntu1.3\n\nUbuntu 20.04 LTS:\n apache2 2.4.41-4ubuntu3.6\n apache2-bin 2.4.41-4ubuntu3.6\n\nUbuntu 18.04 LTS:\n apache2 2.4.29-1ubuntu4.18\n apache2-bin 2.4.29-1ubuntu4.18\n\nIn general, a standard system update will make all the necessary changes",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-34798"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002671"
},
{
"db": "CNVD",
"id": "CNVD-2022-03223"
},
{
"db": "VULHUB",
"id": "VHN-395042"
},
{
"db": "VULMON",
"id": "CVE-2021-34798"
},
{
"db": "PACKETSTORM",
"id": "168565"
},
{
"db": "PACKETSTORM",
"id": "169132"
},
{
"db": "PACKETSTORM",
"id": "165587"
},
{
"db": "PACKETSTORM",
"id": "166321"
},
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
}
],
"trust": 3.06
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-34798",
"trust": 4.0
},
{
"db": "TENABLE",
"id": "TNS-2021-17",
"trust": 1.8
},
{
"db": "MCAFEE",
"id": "SB10379",
"trust": 1.8
},
{
"db": "SIEMENS",
"id": "SSA-685781",
"trust": 1.8
},
{
"db": "PACKETSTORM",
"id": "165587",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "166321",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "168072",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "168565",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002671",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2022-03223",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1109",
"trust": 0.7
},
{
"db": "ICS CERT",
"id": "ICSA-22-167-06",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "164329",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "164318",
"trust": 0.7
},
{
"db": "CS-HELP",
"id": "SB2022012040",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021101308",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022030119",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021092301",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022051316",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022031528",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022011749",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021091707",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021101513",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021101922",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021101005",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022060624",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021101101",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022042112",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021112902",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3229",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3405",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3341",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.7",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3148",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3591",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.0850",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3482",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.2978",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.5",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.2",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.2352",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.0217",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3357",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3250",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4004.3",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3387",
"trust": 0.6
},
{
"db": "ICS CERT",
"id": "ICSA-22-132-02",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-395042",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2021-34798",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "169132",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "164305",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03223"
},
{
"db": "VULHUB",
"id": "VHN-395042"
},
{
"db": "VULMON",
"id": "CVE-2021-34798"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002671"
},
{
"db": "PACKETSTORM",
"id": "168565"
},
{
"db": "PACKETSTORM",
"id": "169132"
},
{
"db": "PACKETSTORM",
"id": "165587"
},
{
"db": "PACKETSTORM",
"id": "166321"
},
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1109"
},
{
"db": "NVD",
"id": "CVE-2021-34798"
}
]
},
"id": "VAR-202109-1805",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03223"
},
{
"db": "VULHUB",
"id": "VHN-395042"
}
],
"trust": 1.3031922749999998
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03223"
}
]
},
"last_update_date": "2024-11-29T22:33:38.638000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "FEDORA-2021-e3f6dd670d",
"trust": 0.8,
"url": "http://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"title": "Patch for Apache HTTP Server Code Issue Vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/313156"
},
{
"title": "Apache HTTP Server Fixes for code issue vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=171210"
},
{
"title": "Red Hat: Moderate: httpd:2.4 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20220891 - Security Advisory"
},
{
"title": "Red Hat: CVE-2021-34798",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2021-34798"
},
{
"title": "Debian Security Advisories: DSA-4982-1 apache2 -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=93a29f7ecf9a6aaba79d3b3320aa4b85"
},
{
"title": "Arch Linux Issues: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2021-34798 log"
},
{
"title": "Red Hat: Moderate: httpd24-httpd security and bug fix update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226753 - Security Advisory"
},
{
"title": "Tenable Security Advisories: [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.16.0 to 5.19.1: Patch 202110.1",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories\u0026qid=TNS-2021-17"
},
{
"title": "Brocade Security Advisories: CVE-2021-34798. NULL pointer dereference in httpd core.",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=brocade_security_advisories\u0026qid=2142ed2ad0c6564b6dfdd2779d3117ce"
},
{
"title": "Brocade Security Advisories: Access Denied",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=brocade_security_advisories\u0026qid=3499da969fe529a2e6d5812690c8f102"
},
{
"title": "Amazon Linux AMI: ALAS-2021-1543",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2021-1543"
},
{
"title": "Amazon Linux 2: ALAS2-2021-1716",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2-2021-1716"
},
{
"title": "Cisco: Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts\u0026qid=cisco-sa-apache-httpd-2.4.49-VWL69sWQ"
},
{
"title": "PROJET TUTEURE",
"trust": 0.1,
"url": "https://github.com/PierreChrd/py-projet-tut "
},
{
"title": "Tier 0\nTier 1\nTier 2",
"trust": 0.1,
"url": "https://github.com/Totes5706/TotesHTB "
},
{
"title": "Requirements\nvulnsearch-cve\nUsage\nvulnsearch\nUsage\nTest Sample",
"trust": 0.1,
"url": "https://github.com/kasem545/vulnsearch "
},
{
"title": "Skynet",
"trust": 0.1,
"url": "https://github.com/bioly230/THM_Skynet "
},
{
"title": "Shodan Search Script",
"trust": 0.1,
"url": "https://github.com/firatesatoglu/shodanSearch "
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03223"
},
{
"db": "VULMON",
"id": "CVE-2021-34798"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002671"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1109"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-476",
"trust": 1.1
},
{
"problemtype": "NULL Pointer dereference (CWE-476) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-395042"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002671"
},
{
"db": "NVD",
"id": "CVE-2021-34798"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-34798"
},
{
"trust": 1.9,
"url": "https://security.gentoo.org/glsa/202208-20"
},
{
"trust": 1.8,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf"
},
{
"trust": 1.8,
"url": "https://security.netapp.com/advisory/ntap-20211008-0004/"
},
{
"trust": 1.8,
"url": "https://www.tenable.com/security/tns-2021-17"
},
{
"trust": 1.8,
"url": "https://www.debian.org/security/2021/dsa-4982"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"trust": 1.8,
"url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html"
},
{
"trust": 1.7,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10379"
},
{
"trust": 1.2,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-apache-httpd-2.4.49-vwl69swq"
},
{
"trust": 1.2,
"url": "http://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"trust": 1.2,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-apache-"
},
{
"trust": 1.1,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/spbr6wuybjnachke65spl7tjohx7rhwd/"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3cusers.httpd.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/zncysr3bxt36fff4xtcpl3hdqk4vp45r/"
},
{
"trust": 1.0,
"url": "https://access.redhat.com/security/cve/cve-2021-34798"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-39275"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/spbr6wuybjnachke65spl7tjohx7rhwd/"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/zncysr3bxt36fff4xtcpl3hdqk4vp45r/"
},
{
"trust": 0.6,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-34798"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-36160"
},
{
"trust": 0.6,
"url": "httpd.apache.org/security/vulnerabilities_24.html"
},
{
"trust": 0.6,
"url": "http://"
},
{
"trust": 0.6,
"url": "httpd.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3cusers."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3cusers."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3cusers."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3cusers."
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022051316"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022030119"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022031528"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3229"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3405"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/165587/red-hat-security-advisory-2022-0143-03.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/166321/red-hat-security-advisory-2022-0891-01.html"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021112902"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022060624"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021101513"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3357"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.2352"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0217"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3250"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3591"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/168072/gentoo-linux-security-advisory-202208-20.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.7"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164318/ubuntu-security-notice-usn-5090-3.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0850"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/6520016"
},
{
"trust": 0.6,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-167-06"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/168565/red-hat-security-advisory-2022-6753-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.2978"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.3"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.2"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4004.5"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022012040"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022011749"
},
{
"trust": 0.6,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-132-02"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022042112"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021092301"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3387"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3341"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021101922"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164329/ubuntu-security-notice-usn-5090-4.html"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021101308"
},
{
"trust": 0.6,
"url": "httpd-2.4.49-vwl69swq"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3148"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021091707"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021101101"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/apache-http-server-four-vulnerabilities-36444"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3482"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021101005"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-33193"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-40438"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2021-39275"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.3,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.3,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.3,
"url": "https://ubuntu.com/security/notices/usn-5090-1"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/errata/rhsa-2022:0891"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22721"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-28614"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-29404"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-28615"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-30522"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-44224"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22719"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-30556"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23943"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-26377"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-44790"
},
{
"trust": 0.1,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026amp;id=sb10379"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3cusers.httpd.apache.org%3e"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/476.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-167-06"
},
{
"trust": 0.1,
"url": "https://github.com/totes5706/toteshtb"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/6975397"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-30556"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-36160"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22719"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-28614"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:6753"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-28615"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-31813"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-30522"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-44224"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22721"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-29404"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33193"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-23943"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-26377"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/apache2"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-44790"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-26691"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-26691"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:0143"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-31813"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-41773"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-41524"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-42013"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22720"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.17"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.5"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.46-4ubuntu1.2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/bugs/xxxxxx"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-5090-4"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-5090-3"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.6"
},
{
"trust": 0.1,
"url": "https://launchpad.net/bugs/1945311"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.18"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.46-4ubuntu1.3"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2022-03223"
},
{
"db": "VULHUB",
"id": "VHN-395042"
},
{
"db": "VULMON",
"id": "CVE-2021-34798"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002671"
},
{
"db": "PACKETSTORM",
"id": "168565"
},
{
"db": "PACKETSTORM",
"id": "169132"
},
{
"db": "PACKETSTORM",
"id": "165587"
},
{
"db": "PACKETSTORM",
"id": "166321"
},
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1109"
},
{
"db": "NVD",
"id": "CVE-2021-34798"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2022-03223"
},
{
"db": "VULHUB",
"id": "VHN-395042"
},
{
"db": "VULMON",
"id": "CVE-2021-34798"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-002671"
},
{
"db": "PACKETSTORM",
"id": "168565"
},
{
"db": "PACKETSTORM",
"id": "169132"
},
{
"db": "PACKETSTORM",
"id": "165587"
},
{
"db": "PACKETSTORM",
"id": "166321"
},
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1109"
},
{
"db": "NVD",
"id": "CVE-2021-34798"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-12T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-03223"
},
{
"date": "2021-09-16T00:00:00",
"db": "VULHUB",
"id": "VHN-395042"
},
{
"date": "2021-09-16T00:00:00",
"db": "VULMON",
"id": "CVE-2021-34798"
},
{
"date": "2021-09-29T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-002671"
},
{
"date": "2022-09-30T14:51:18",
"db": "PACKETSTORM",
"id": "168565"
},
{
"date": "2021-10-28T19:12:00",
"db": "PACKETSTORM",
"id": "169132"
},
{
"date": "2022-01-17T16:53:40",
"db": "PACKETSTORM",
"id": "165587"
},
{
"date": "2022-03-15T15:50:26",
"db": "PACKETSTORM",
"id": "166321"
},
{
"date": "2022-08-15T16:02:48",
"db": "PACKETSTORM",
"id": "168072"
},
{
"date": "2021-09-28T15:06:35",
"db": "PACKETSTORM",
"id": "164305"
},
{
"date": "2021-09-29T14:50:01",
"db": "PACKETSTORM",
"id": "164329"
},
{
"date": "2021-09-28T15:23:06",
"db": "PACKETSTORM",
"id": "164318"
},
{
"date": "2021-09-16T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202109-1109"
},
{
"date": "2021-09-16T15:15:07.267000",
"db": "NVD",
"id": "CVE-2021-34798"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-01-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2022-03223"
},
{
"date": "2022-10-28T00:00:00",
"db": "VULHUB",
"id": "VHN-395042"
},
{
"date": "2023-11-07T00:00:00",
"db": "VULMON",
"id": "CVE-2021-34798"
},
{
"date": "2021-09-29T06:16:00",
"db": "JVNDB",
"id": "JVNDB-2021-002671"
},
{
"date": "2023-02-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202109-1109"
},
{
"date": "2023-11-07T03:36:26.910000",
"db": "NVD",
"id": "CVE-2021-34798"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "168072"
},
{
"db": "PACKETSTORM",
"id": "164305"
},
{
"db": "PACKETSTORM",
"id": "164329"
},
{
"db": "PACKETSTORM",
"id": "164318"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-1109"
}
],
"trust": 1.0
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache\u00a0HTTP\u00a0Server\u00a0 In \u00a0NULL\u00a0 Pointer dereference vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-002671"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "code problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202109-1109"
}
],
"trust": 0.6
}
}
var-201801-0027
Vulnerability from variot
sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. OpenSSH is prone to multiple denial-of-service vulnerabilities. An attacker can leverage these issues to crash the affected application, denying service to legitimate users. Versions prior to OpenSSH 7.4 are vulnerable. ========================================================================== Ubuntu Security Notice USN-3809-2 August 12, 2021
openssh regression
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
USN-3809-1 introduced a regression in OpenSSH.
Software Description: - openssh: secure shell (SSH) for secure access to remote machines
Details:
USN-3809-1 fixed vulnerabilities in OpenSSH. The update for CVE-2018-15473 was incomplete and could introduce a regression in certain environments. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Robert Swiecki discovered that OpenSSH incorrectly handled certain messages. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-10708) It was discovered that OpenSSH incorrectly handled certain requests. An attacker could possibly use this issue to access sensitive information. (CVE-2018-15473)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 18.04 LTS: openssh-server 1:7.6p1-4ubuntu0.5
In general, a standard system update will make all the necessary changes.
References: https://ubuntu.com/security/notices/USN-3809-2 https://ubuntu.com/security/notices/USN-3809-1 https://launchpad.net/bugs/1934501
Package Information: https://launchpad.net/ubuntu/+source/openssh/1:7.6p1-4ubuntu0.5
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201801-0027",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "openssh",
"scope": "lt",
"trust": 1.8,
"vendor": "openbsd",
"version": "7.4"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.6,
"vendor": "debian",
"version": "7.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "14.04"
},
{
"model": "vasa provider",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "data ontap",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "clustered data ontap",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "8.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "18.04"
},
{
"model": "data ontap edge",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "cloud backup",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "storagegrid webscale",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "storagegrid",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "service processor",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "oncommand unified manager",
"scope": "gte",
"trust": 1.0,
"vendor": "netapp",
"version": "9.4"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "16.04"
},
{
"model": "gnu/linux",
"scope": "eq",
"trust": 0.8,
"vendor": "debian",
"version": "7.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "4.2"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "4.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "4.1"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "4.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "4.0"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.9"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.8.1"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.8"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.7.2"
},
{
"model": "p2",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.7.1"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.7.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.7.1"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.7"
},
{
"model": ".1p2",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.7"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.7"
},
{
"model": "p2",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.6.1"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.6.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.6.1"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.5"
},
{
"model": "p1-7",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.4"
},
{
"model": "p1-6",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.4"
},
{
"model": "p1-5",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.4"
},
{
"model": "p1-4",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.4"
},
{
"model": "p1-3",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.4"
},
{
"model": "p1-2",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.4"
},
{
"model": "p1-1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.4"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.4"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.4"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.3"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.3"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.2.3"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.2.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.2"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.1"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0.2"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0.1"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "3.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.9.9"
},
{
"model": "p2",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.9"
},
{
"model": "p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.9"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.9"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.5.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.5.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.3"
},
{
"model": ".0p1",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.1.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "2.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "1.2.3"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "1.2.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "7.3"
},
{
"model": "7.2p2",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "7.2"
},
{
"model": "7.1p2",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "7.1p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "7.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "7.0"
},
{
"model": "6.9p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.9"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.8"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.7"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.6"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.4"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.3"
},
{
"model": "6.2p2",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "6.2p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.1"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "6.0"
},
{
"model": "p2",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.8"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.8"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.7"
},
{
"model": "5.6p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.6"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.5"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.4"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.3"
},
{
"model": "5.2p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.2"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.1"
},
{
"model": "5.0p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "5.0"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "4.9"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "4.8"
},
{
"model": "4.7p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "4.7"
},
{
"model": "4.6p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "4.6"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "4.5"
},
{
"model": "4.4.p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "4.4"
},
{
"model": "4.3p2",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "4.3p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "4.3.0"
},
{
"model": "4.2p1",
"scope": null,
"trust": 0.3,
"vendor": "openssh",
"version": null
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "1.127"
},
{
"model": "openssh",
"scope": "eq",
"trust": 0.3,
"vendor": "openssh",
"version": "1.126"
},
{
"model": "openssh",
"scope": "ne",
"trust": 0.3,
"vendor": "openssh",
"version": "7.4"
}
],
"sources": [
{
"db": "BID",
"id": "102780"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-008892"
},
{
"db": "CNNVD",
"id": "CNNVD-201801-812"
},
{
"db": "NVD",
"id": "CVE-2016-10708"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:debian:debian_linux",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:openbsd:openssh",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-008892"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The vendor reported this issue.",
"sources": [
{
"db": "BID",
"id": "102780"
}
],
"trust": 0.3
},
"cve": "CVE-2016-10708",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2016-10708",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2016-10708",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2016-10708",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2016-10708",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201801-812",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2016-10708",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2016-10708"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-008892"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-201801-812"
},
{
"db": "NVD",
"id": "CVE-2016-10708"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "sshd in OpenSSH before 7.4 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence NEWKEYS message, as demonstrated by Honggfuzz, related to kex.c and packet.c. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. OpenSSH is prone to multiple denial-of-service vulnerabilities. \nAn attacker can leverage these issues to crash the affected application, denying service to legitimate users. \nVersions prior to OpenSSH 7.4 are vulnerable. ==========================================================================\nUbuntu Security Notice USN-3809-2\nAugust 12, 2021\n\nopenssh regression\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 18.04 LTS\n\nSummary:\n\nUSN-3809-1 introduced a regression in OpenSSH. \n\nSoftware Description:\n- openssh: secure shell (SSH) for secure access to remote machines\n\nDetails:\n\nUSN-3809-1 fixed vulnerabilities in OpenSSH. The update for CVE-2018-15473\nwas incomplete and could introduce a regression in certain environments. \nThis update fixes the problem. \n\nWe apologize for the inconvenience. \n\nOriginal advisory details:\n\n Robert Swiecki discovered that OpenSSH incorrectly handled certain messages. \n This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. \n (CVE-2016-10708)\n It was discovered that OpenSSH incorrectly handled certain requests. \n An attacker could possibly use this issue to access sensitive information. \n (CVE-2018-15473)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 18.04 LTS:\n openssh-server 1:7.6p1-4ubuntu0.5\n\nIn general, a standard system update will make all the necessary changes. \n\nReferences:\n https://ubuntu.com/security/notices/USN-3809-2\n https://ubuntu.com/security/notices/USN-3809-1\n https://launchpad.net/bugs/1934501\n\nPackage Information:\n https://launchpad.net/ubuntu/+source/openssh/1:7.6p1-4ubuntu0.5\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2016-10708"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-008892"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "BID",
"id": "102780"
},
{
"db": "VULMON",
"id": "CVE-2016-10708"
},
{
"db": "PACKETSTORM",
"id": "150190"
},
{
"db": "PACKETSTORM",
"id": "163809"
}
],
"trust": 2.7
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2016-10708",
"trust": 3.0
},
{
"db": "BID",
"id": "102780",
"trust": 1.9
},
{
"db": "SIEMENS",
"id": "SSA-676336",
"trust": 1.6
},
{
"db": "MCAFEE",
"id": "SB10284",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2016-008892",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "163809",
"trust": 0.7
},
{
"db": "CS-HELP",
"id": "SB2021041363",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2750",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.4243",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021091616",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201801-812",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2016-10708",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "150190",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2016-10708"
},
{
"db": "BID",
"id": "102780"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-008892"
},
{
"db": "PACKETSTORM",
"id": "150190"
},
{
"db": "PACKETSTORM",
"id": "163809"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-201801-812"
},
{
"db": "NVD",
"id": "CVE-2016-10708"
}
]
},
"id": "VAR-201801-0027",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.30555555
},
"last_update_date": "2024-11-23T20:05:43.817000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "[SECURITY] [DLA 1257-1] openssh security update",
"trust": 0.8,
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00031.html"
},
{
"title": "OpenSSH 7.4/7.4p1 (2016-12-19)",
"trust": 0.8,
"url": "https://www.openssh.com/releasenotes.html"
},
{
"title": "OpenSSH sshd Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77982"
},
{
"title": "Ubuntu Security Notice: openssh vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-3809-1"
},
{
"title": "Red Hat: CVE-2016-10708",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2016-10708"
},
{
"title": "Siemens Security Advisories: Siemens Security Advisory",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories\u0026qid=9b9cd7dc5027a97c903c1917360c57fd"
},
{
"title": "IBM: IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in OpenSSH",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=09467db835e132cd1a0a8012efa155dc"
},
{
"title": "Symantec Security Advisories: OpenSSH Vulnerabilities Jan-Aug 2018",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=symantec_security_advisories\u0026qid=eafec7859e071aa17b0b5511d3b3eb53"
},
{
"title": "nmap",
"trust": 0.1,
"url": "https://github.com/project7io/nmap "
},
{
"title": "nmap",
"trust": 0.1,
"url": "https://github.com/devairdarolt/nmap "
},
{
"title": "pigat",
"trust": 0.1,
"url": "https://github.com/teamssix/pigat "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2016-10708"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-008892"
},
{
"db": "CNNVD",
"id": "CNNVD-201801-812"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-476",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-008892"
},
{
"db": "NVD",
"id": "CVE-2016-10708"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.2,
"url": "http://www.securityfocus.com/bid/102780"
},
{
"trust": 1.9,
"url": "http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html"
},
{
"trust": 1.9,
"url": "https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737"
},
{
"trust": 1.9,
"url": "https://www.openssh.com/releasenotes.html"
},
{
"trust": 1.6,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10284"
},
{
"trust": 1.6,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-676336.pdf"
},
{
"trust": 1.6,
"url": "https://security.netapp.com/advisory/ntap-20180423-0003/"
},
{
"trust": 1.6,
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00031.html"
},
{
"trust": 1.6,
"url": "https://usn.ubuntu.com/3809-1/"
},
{
"trust": 1.6,
"url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html"
},
{
"trust": 1.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-10708"
},
{
"trust": 1.0,
"url": "https://support.f5.com/csp/article/k32485746?utm_source=f5support\u0026amp%3butm_medium=rss"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-10708"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
},
{
"trust": 0.6,
"url": "https://support.f5.com/csp/article/k32485746?utm_source=f5support\u0026utm_medium=rss"
},
{
"trust": 0.6,
"url": "https://support.f5.com/csp/article/k32485746"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4243/"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021091616"
},
{
"trust": 0.6,
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10874464"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2750"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163809/ubuntu-security-notice-usn-3809-2.html"
},
{
"trust": 0.3,
"url": "http://www.openssh.com"
},
{
"trust": 0.3,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1537929"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2016-10708"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-15473"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssh/1:7.2p2-4ubuntu2.6"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/usn/usn-3809-1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssh/1:7.6p1-4ubuntu0.1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssh/1:6.6p1-2ubuntu2.11"
},
{
"trust": 0.1,
"url": "https://launchpad.net/bugs/1934501"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-3809-2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssh/1:7.6p1-4ubuntu0.5"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-3809-1"
}
],
"sources": [
{
"db": "BID",
"id": "102780"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-008892"
},
{
"db": "PACKETSTORM",
"id": "150190"
},
{
"db": "PACKETSTORM",
"id": "163809"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-201801-812"
},
{
"db": "NVD",
"id": "CVE-2016-10708"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2016-10708"
},
{
"db": "BID",
"id": "102780"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-008892"
},
{
"db": "PACKETSTORM",
"id": "150190"
},
{
"db": "PACKETSTORM",
"id": "163809"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-201801-812"
},
{
"db": "NVD",
"id": "CVE-2016-10708"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-01-21T00:00:00",
"db": "VULMON",
"id": "CVE-2016-10708"
},
{
"date": "2018-01-21T00:00:00",
"db": "BID",
"id": "102780"
},
{
"date": "2018-02-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-008892"
},
{
"date": "2018-11-06T21:04:06",
"db": "PACKETSTORM",
"id": "150190"
},
{
"date": "2021-08-12T15:49:43",
"db": "PACKETSTORM",
"id": "163809"
},
{
"date": "2021-04-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2018-01-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201801-812"
},
{
"date": "2018-01-21T22:29:00.227000",
"db": "NVD",
"id": "CVE-2016-10708"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-09-14T00:00:00",
"db": "VULMON",
"id": "CVE-2016-10708"
},
{
"date": "2018-01-21T00:00:00",
"db": "BID",
"id": "102780"
},
{
"date": "2018-02-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-008892"
},
{
"date": "2021-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2021-09-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201801-812"
},
{
"date": "2024-11-21T02:44:33.607000",
"db": "NVD",
"id": "CVE-2016-10708"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201801-812"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenSSH In NULL Pointer dereference vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-008892"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
}
],
"trust": 0.6
}
}
var-202004-1071
Vulnerability from variot
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). It exists that OpenJDK incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service while processing a specially crafted regular expression. (CVE-2020-2754, CVE-2020-2755). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202006-22
https://security.gentoo.org/
Severity: Normal Title: OpenJDK, IcedTea: Multiple vulnerabilities Date: June 15, 2020 Bugs: #718720, #720690 ID: 202006-22
Synopsis
Multiple vulnerabilities have been found in OpenJDK and IcedTea, the worst of which could result in the arbitrary execution of code.
Background
OpenJDK is a free and open-source implementation of the Java Platform, Standard Edition.
IcedTea’s aim is to provide OpenJDK in a form suitable for easy configuration, compilation and distribution with the primary goal of allowing inclusion in GNU/Linux distributions.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-java/openjdk-bin < 8.252_p09 >= 8.252_p09 2 dev-java/openjdk-jre-bin < 8.252_p09 >= 8.252_p09 3 dev-java/icedtea-bin < 3.16.0 >= 3.16.0 ------------------------------------------------------------------- 3 affected packages
Description
Multiple vulnerabilities have been discovered in OpenJDK and IcedTea. Please review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All OpenJDK binary users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/openjdk-bin-8.252_p09"
All OpenJDK JRE binary users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot -v ">=dev-java/openjdk-jre-bin-8.252_p09"
All IcedTea binary users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/icedtea-bin-3.16.0"
References
[ 1 ] CVE-2020-2585 https://nvd.nist.gov/vuln/detail/CVE-2020-2585 [ 2 ] CVE-2020-2585 https://nvd.nist.gov/vuln/detail/CVE-2020-2585 [ 3 ] CVE-2020-2755 https://nvd.nist.gov/vuln/detail/CVE-2020-2755 [ 4 ] CVE-2020-2755 https://nvd.nist.gov/vuln/detail/CVE-2020-2755 [ 5 ] CVE-2020-2756 https://nvd.nist.gov/vuln/detail/CVE-2020-2756 [ 6 ] CVE-2020-2756 https://nvd.nist.gov/vuln/detail/CVE-2020-2756 [ 7 ] CVE-2020-2757 https://nvd.nist.gov/vuln/detail/CVE-2020-2757 [ 8 ] CVE-2020-2757 https://nvd.nist.gov/vuln/detail/CVE-2020-2757 [ 9 ] CVE-2020-2773 https://nvd.nist.gov/vuln/detail/CVE-2020-2773 [ 10 ] CVE-2020-2773 https://nvd.nist.gov/vuln/detail/CVE-2020-2773 [ 11 ] CVE-2020-2781 https://nvd.nist.gov/vuln/detail/CVE-2020-2781 [ 12 ] CVE-2020-2781 https://nvd.nist.gov/vuln/detail/CVE-2020-2781 [ 13 ] CVE-2020-2800 https://nvd.nist.gov/vuln/detail/CVE-2020-2800 [ 14 ] CVE-2020-2800 https://nvd.nist.gov/vuln/detail/CVE-2020-2800 [ 15 ] CVE-2020-2803 https://nvd.nist.gov/vuln/detail/CVE-2020-2803 [ 16 ] CVE-2020-2803 https://nvd.nist.gov/vuln/detail/CVE-2020-2803 [ 17 ] CVE-2020-2805 https://nvd.nist.gov/vuln/detail/CVE-2020-2805 [ 18 ] CVE-2020-2805 https://nvd.nist.gov/vuln/detail/CVE-2020-2805 [ 19 ] CVE-2020-2830 https://nvd.nist.gov/vuln/detail/CVE-2020-2830 [ 20 ] CVE-2020-2830 https://nvd.nist.gov/vuln/detail/CVE-2020-2830
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202006-22
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2020 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5 . 8.0) - aarch64, noarch, ppc64le, s390x, x86_64
- Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Security Fix(es):
- operator-framework/presto: /etc/passwd was given incorrect privileges (CVE-2019-19352)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution:
For OpenShift Container Platform 4.4 see the following documentation, which will be updated shortly for release 4.4.3, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel ease-notes.html
Details on how to access this content are available at https://docs.openshift.com/container-platform/4.4/updating/updating-cluster - -cli.html. Bugs fixed (https://bugzilla.redhat.com/):
1793281 - CVE-2019-19352 operator-framework/presto: /etc/passwd is given incorrect privileges
-
8) - aarch64, ppc64le, s390x, x86_64
-
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: java-1.7.1-ibm security update Advisory ID: RHSA-2020:2236-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://access.redhat.com/errata/RHSA-2020:2236 Issue date: 2020-05-20 CVE Names: CVE-2020-2654 CVE-2020-2756 CVE-2020-2757 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2830 ==================================================================== 1. Summary:
An update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 6 Supplementary.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
- Description:
IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.
Security Fix(es):
-
OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)
-
OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)
-
OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654)
-
OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)
-
OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)
-
OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)
-
OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)
-
OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of IBM Java must be restarted for this update to take effect.
- Bugs fixed (https://bugzilla.redhat.com/):
1791217 - CVE-2020-2654 OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) 1823215 - CVE-2020-2756 OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) 1823216 - CVE-2020-2757 OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) 1823527 - CVE-2020-2800 OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) 1823542 - CVE-2020-2830 OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) 1823694 - CVE-2020-2803 OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) 1823844 - CVE-2020-2805 OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) 1823960 - CVE-2020-2781 OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)
- Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386: java-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10.i686.rpm java-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10.i686.rpm java-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10.i686.rpm java-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10.i686.rpm java-1.7.1-ibm-plugin-1.7.1.4.65-1jpp.1.el6_10.i686.rpm java-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10.i686.rpm
x86_64: java-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm java-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm
Red Hat Enterprise Linux HPC Node Supplementary (v. 6):
x86_64: java-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm java-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386: java-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10.i686.rpm java-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10.i686.rpm java-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10.i686.rpm java-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10.i686.rpm java-1.7.1-ibm-plugin-1.7.1.4.65-1jpp.1.el6_10.i686.rpm java-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10.i686.rpm
ppc64: java-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10.ppc64.rpm java-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10.ppc64.rpm java-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10.ppc64.rpm java-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10.ppc64.rpm java-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10.ppc64.rpm
s390x: java-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10.s390x.rpm java-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10.s390x.rpm java-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10.s390x.rpm java-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10.s390x.rpm java-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10.s390x.rpm
x86_64: java-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm java-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386: java-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10.i686.rpm java-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10.i686.rpm java-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10.i686.rpm java-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10.i686.rpm java-1.7.1-ibm-plugin-1.7.1.4.65-1jpp.1.el6_10.i686.rpm java-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10.i686.rpm
x86_64: java-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm java-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2020-2654 https://access.redhat.com/security/cve/CVE-2020-2756 https://access.redhat.com/security/cve/CVE-2020-2757 https://access.redhat.com/security/cve/CVE-2020-2781 https://access.redhat.com/security/cve/CVE-2020-2800 https://access.redhat.com/security/cve/CVE-2020-2803 https://access.redhat.com/security/cve/CVE-2020-2805 https://access.redhat.com/security/cve/CVE-2020-2830 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXsU9v9zjgjWX9erEAQg8Zw/+Lg7FSdhMbVk/Qy2+8RgdcPuiPfqGcUQg nT6B1XuNPo8ZHONWC+2GEsV+8SJNp8vHeZmZWn5robPd/TsB25LGCk6Kx4TQPPd8 MsGvVphXZkuIi+44R6Xj8m8CzAQLgPGrBS6fonl0fe8W/9/7ULEG327qT0Piphpy s9tlQWx3PAbtw7CnFBpOlTibadg0iyqif3egEhkUFkMYxTGBNn43GvKQAX3nfgNx FSiy8ZeAXB3u289gMmgXjJdcIxPF5KQlEsaCEU/5LB1I5YcJkleKY0YXUOaYaZ5z /AkKPho/WWogwWZBtBlAb3hWOft+grko+0QsDhSGLhr5c1YPq1PTYgmCzY54imnQ O+KBpgX61aIY9Yil+iy0uGVhC8tpIwFx4k02SlzgocNwOZu+bwGkbm34n0NIxZBL WapU4IbIiforzd8IFoMVst8gPe6hF+fI4OW20aUVfImOAarpr7QuirXWuDd0xZRv bG/SNAAFdkDVzXVwfxDVu5KyELShTJOagRvf3sZ/e22Sy3h8VuhEBV3l2UvnLpDB cXkD39sy6DAahaWBveCWLfBRCCiuOn/03g9lE2oTsTQPP8YCsv23wdTEMMXXXMhW OO6kEvVZVDtY7KL0u4KQ2f41k70O2ybLl4gLxwTmvk5VCx2xtk7Qb1gOsVPZNMA6 QF084+zkRgg=n3I2 -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Debian Security Advisory DSA-4668-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 28, 2020 https://www.debian.org/security/faq
Package : openjdk-8 CVE ID : CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2773 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805
Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, insecure TLS handshakes, bypass of sandbox restrictions or HTTP response splitting attacks.
For the oldstable distribution (stretch), these problems have been fixed in version 8u252-b09-1~deb9u1.
We recommend that you upgrade your openjdk-8 packages.
For the detailed security status of openjdk-8 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openjdk-8
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl6ohOAACgkQEMKTtsN8 TjauDg//dewg6ej1yoHtsiqw0vxozLnwHv+6PhzFlI2x25u7W2oBc6bRM+ZefFzm Ph/AcWtCrtjGbPmukaFrSYXEKqmymcXS0otYH7v3FuvSDgPWou2jrZ0TuIt1ohfB 6jszJQgfLFdQf7Ubfv1L/+fFN5rMyOVepBSbk1cI9pJWntTUprbtA5V+z1vTP9cl 2NHGGlqAwxWHIjR/s2gKv2zoRAd46GEeEIq5e7P6xgbr/4R00JWmq/frp2wK40RT 8rc/pcSvHq5isbJAUYuf0af5+77NZMnrQZyrLRFzpTprY1DkR7bTtFIETZJwBk2F qQqfo1f/hiqwdB90UXHlscVA7YxyRojJkQ57/QM0dkGTKZCxL/JyBi5B+262Qa8k 2sgleNcPyGJjUZHNJt9C0D2TF8zBXjdqMewbu1h9jt8t7PCcgBq0EDnQdClDzESG aTzMsM4w3ssYX41vmq3O6j90HwdFTs0lDCd1HfKK2WXgCm8IoFKdiW0ofRQdXihb dFizoH8yxrW9Pk9AjQoj4goaRqElEyk9hs2Sqh1HQFtHoKujxiIuoM+XQop8/9xY g45bWIR/jzV9AcPOUkMtGean90/qfSXAqgusXJ0mCSSP4wbvYXi04qtMmeurQFeX 8JgNWPEehjQUzQqxLVQ4FNikIe3VG1UKwc6rPPHdwPXw4YqHJ2k= =Xj/N -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202004-1071",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "jdk",
"scope": "eq",
"trust": 1.8,
"vendor": "oracle",
"version": "11.0.6"
},
{
"model": "jre",
"scope": "eq",
"trust": 1.8,
"vendor": "oracle",
"version": "11.0.6"
},
{
"model": "threat intelligence exchange server",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "2.0.0"
},
{
"model": "active iq unified manager",
"scope": "gte",
"trust": 1.0,
"vendor": "netapp",
"version": "7.3"
},
{
"model": "steelstore cloud integrated storage",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "e-series santricity os controller",
"scope": "lte",
"trust": 1.0,
"vendor": "netapp",
"version": "11.70.2"
},
{
"model": "openjdk",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8"
},
{
"model": "snapmanager",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "8.0"
},
{
"model": "leap",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "15.2"
},
{
"model": "storagegrid",
"scope": "lte",
"trust": 1.0,
"vendor": "netapp",
"version": "9.0.4"
},
{
"model": "jdk",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.0.0"
},
{
"model": "oncommand workflow automation",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "storagegrid",
"scope": "gte",
"trust": 1.0,
"vendor": "netapp",
"version": "9.0.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "jdk",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "1.8.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "threat intelligence exchange server",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "2.1.1"
},
{
"model": "oncommand insight",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "30"
},
{
"model": "openjdk",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "13.0.2"
},
{
"model": "jdk",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "1.7.0"
},
{
"model": "jre",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.0.0"
},
{
"model": "openjdk",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "13"
},
{
"model": "threat intelligence exchange server",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "2.3.1"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "31"
},
{
"model": "7-mode transition tool",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "jre",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "1.8.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "18.04"
},
{
"model": "threat intelligence exchange server",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "2.0.1"
},
{
"model": "e-series performance analyzer",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "jre",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "1.7.0"
},
{
"model": "threat intelligence exchange server",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "2.2.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "19.10"
},
{
"model": "active iq unified manager",
"scope": "gte",
"trust": 1.0,
"vendor": "netapp",
"version": "9.5"
},
{
"model": "e-series santricity web services",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "santricity unified manager",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "16.04"
},
{
"model": "threat intelligence exchange server",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "2.1.0"
},
{
"model": "cloud secure agent",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "openjdk",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "7"
},
{
"model": "threat intelligence exchange server",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "3.0.0"
},
{
"model": "leap",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "15.1"
},
{
"model": "threat intelligence exchange server",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "2.3.0"
},
{
"model": "openjdk",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "11.0.6"
},
{
"model": "cloud backup",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "storagegrid",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "e-series santricity os controller",
"scope": "gte",
"trust": 1.0,
"vendor": "netapp",
"version": "11.0.0"
},
{
"model": "openjdk",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "32"
},
{
"model": "openjdk",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "11"
},
{
"model": "active iq unified manager",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "e-series santricity os controller",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "storagegrid webscale",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "snapmanager",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "jdk",
"scope": "eq",
"trust": 0.8,
"vendor": "oracle",
"version": "14"
},
{
"model": "jdk",
"scope": "eq",
"trust": 0.8,
"vendor": "oracle",
"version": "7 update 251"
},
{
"model": "jdk",
"scope": "eq",
"trust": 0.8,
"vendor": "oracle",
"version": "8 update 241"
},
{
"model": "jre",
"scope": "eq",
"trust": 0.8,
"vendor": "oracle",
"version": "14"
},
{
"model": "jre",
"scope": "eq",
"trust": 0.8,
"vendor": "oracle",
"version": "7 update 251"
},
{
"model": "jre",
"scope": "eq",
"trust": 0.8,
"vendor": "oracle",
"version": "8 update 241"
},
{
"model": "java se",
"scope": "eq",
"trust": 0.8,
"vendor": "oracle",
"version": "embedded 8 update 241"
},
{
"model": "application server",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "application server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "for developers"
},
{
"model": "automation director",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "compute systems manager",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "configuration manager",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "device manager",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "dynamic link manager",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "global link manager",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "infrastructure analytics advisor",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "\u6d77\u5916\u8ca9\u58f2\u306e\u307f)"
},
{
"model": "ops center analyzer",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "(\u6d77\u5916\u8ca9\u58f2\u306e\u307f)"
},
{
"model": "ops center analyzer viewpoint",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "(\u6d77\u5916\u8ca9\u58f2\u306e\u307f)"
},
{
"model": "ops center api configuration manager",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ops center automator",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ops center common services",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "(\u6d77\u5916\u8ca9\u58f2\u306e\u307f)"
},
{
"model": "replication manager",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "tiered storage manager",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "tuning manager",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ucosminexus application server",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ucosminexus application server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "(64)"
},
{
"model": "ucosminexus client",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ucosminexus developer",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ucosminexus service architect",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ucosminexus service platform",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ucosminexus service platform",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "(64)"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004278"
},
{
"db": "NVD",
"id": "CVE-2020-2781"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:oracle:jdk:14.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:jre:14.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:jdk:11.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:jre:11.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.8.0:update241:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.7.0:update251:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:jre:1.8.0:update241:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update251:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update102:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update112:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update152:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update162:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update172:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update192:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update20:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update202:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update212:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update40:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update60:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update66:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update72:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update92:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update241:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update80:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update85:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update241:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update65:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update71:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update73:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update74:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update77:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update91:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update101:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update111:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update121:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update131:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update141:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update151:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update161:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update171:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update181:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update191:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update201:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update211:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update45:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update51:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update25:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update31:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update11:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update221:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update231:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "11.0.6",
"versionStartIncluding": "11",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update251:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update231:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update221:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update211:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update201:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update191:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update181:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update171:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update161:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update151:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update141:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update131:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update121:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update111:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update101:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update99:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update97:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update95:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update91:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update76:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update72:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update67:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update65:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update60:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update55:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update10:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update11:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update13:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update15:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update17:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update21:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update25:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update40:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update45:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update51:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update6:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update7:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update9:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "13.0.2",
"versionStartIncluding": "13",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:3.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.3.1:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.3.1:hotfix1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.3.1:hotfix2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.1.0:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.1.0:hotfix1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.1.0:hotfix2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.1.0:hotfix3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.1.1:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.1.1:hotfix1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.1.1:hotfix2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.1.1:hotfix3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.2.0:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.2.0:hotfix1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.3.0:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.3.0:hotfix1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:storagegrid:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "9.0.4",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*",
"cpe_name": [],
"versionStartIncluding": "7.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vsphere:*:*",
"cpe_name": [],
"versionStartIncluding": "9.5",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "11.70.2",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:santricity_unified_manager:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:snapmanager:-:-:*:*:*:oracle:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-2781"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Gentoo",
"sources": [
{
"db": "PACKETSTORM",
"id": "158101"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-843"
}
],
"trust": 0.7
},
"cve": "CVE-2020-2781",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2020-2781",
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.1,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 5.0,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-004278",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2020-2781",
"impactScore": 1.4,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "Low",
"baseScore": 5.3,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-004278",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2020-2781",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "JVNDB-2020-004278",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202004-843",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2020-2781",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-2781"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004278"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-843"
},
{
"db": "NVD",
"id": "CVE-2020-2781"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). It exists that OpenJDK incorrectly handled certain regular\nexpressions. An attacker could possibly use this issue to cause a denial of\nservice while processing a specially crafted regular expression. \n(CVE-2020-2754, CVE-2020-2755). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 202006-22\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: OpenJDK, IcedTea: Multiple vulnerabilities\n Date: June 15, 2020\n Bugs: #718720, #720690\n ID: 202006-22\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in OpenJDK and IcedTea, the\nworst of which could result in the arbitrary execution of code. \n\nBackground\n==========\n\nOpenJDK is a free and open-source implementation of the Java Platform,\nStandard Edition. \n\nIcedTea\u2019s aim is to provide OpenJDK in a form suitable for easy\nconfiguration, compilation and distribution with the primary goal of\nallowing inclusion in GNU/Linux distributions. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 dev-java/openjdk-bin \u003c 8.252_p09 \u003e= 8.252_p09 \n 2 dev-java/openjdk-jre-bin\n \u003c 8.252_p09 \u003e= 8.252_p09 \n 3 dev-java/icedtea-bin \u003c 3.16.0 \u003e= 3.16.0 \n -------------------------------------------------------------------\n 3 affected packages\n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in OpenJDK and IcedTea. \nPlease review the CVE identifiers referenced below for details. \n\nImpact\n======\n\nPlease review the referenced CVE identifiers for details. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll OpenJDK binary users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=dev-java/openjdk-bin-8.252_p09\"\n\nAll OpenJDK JRE binary users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot -v \"\u003e=dev-java/openjdk-jre-bin-8.252_p09\"\n\nAll IcedTea binary users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=dev-java/icedtea-bin-3.16.0\"\n\nReferences\n==========\n\n[ 1 ] CVE-2020-2585\n https://nvd.nist.gov/vuln/detail/CVE-2020-2585\n[ 2 ] CVE-2020-2585\n https://nvd.nist.gov/vuln/detail/CVE-2020-2585\n[ 3 ] CVE-2020-2755\n https://nvd.nist.gov/vuln/detail/CVE-2020-2755\n[ 4 ] CVE-2020-2755\n https://nvd.nist.gov/vuln/detail/CVE-2020-2755\n[ 5 ] CVE-2020-2756\n https://nvd.nist.gov/vuln/detail/CVE-2020-2756\n[ 6 ] CVE-2020-2756\n https://nvd.nist.gov/vuln/detail/CVE-2020-2756\n[ 7 ] CVE-2020-2757\n https://nvd.nist.gov/vuln/detail/CVE-2020-2757\n[ 8 ] CVE-2020-2757\n https://nvd.nist.gov/vuln/detail/CVE-2020-2757\n[ 9 ] CVE-2020-2773\n https://nvd.nist.gov/vuln/detail/CVE-2020-2773\n[ 10 ] CVE-2020-2773\n https://nvd.nist.gov/vuln/detail/CVE-2020-2773\n[ 11 ] CVE-2020-2781\n https://nvd.nist.gov/vuln/detail/CVE-2020-2781\n[ 12 ] CVE-2020-2781\n https://nvd.nist.gov/vuln/detail/CVE-2020-2781\n[ 13 ] CVE-2020-2800\n https://nvd.nist.gov/vuln/detail/CVE-2020-2800\n[ 14 ] CVE-2020-2800\n https://nvd.nist.gov/vuln/detail/CVE-2020-2800\n[ 15 ] CVE-2020-2803\n https://nvd.nist.gov/vuln/detail/CVE-2020-2803\n[ 16 ] CVE-2020-2803\n https://nvd.nist.gov/vuln/detail/CVE-2020-2803\n[ 17 ] CVE-2020-2805\n https://nvd.nist.gov/vuln/detail/CVE-2020-2805\n[ 18 ] CVE-2020-2805\n https://nvd.nist.gov/vuln/detail/CVE-2020-2805\n[ 19 ] CVE-2020-2830\n https://nvd.nist.gov/vuln/detail/CVE-2020-2830\n[ 20 ] CVE-2020-2830\n https://nvd.nist.gov/vuln/detail/CVE-2020-2830\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202006-22\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2020 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. 8.0) - aarch64, noarch, ppc64le, s390x, x86_64\n\n3. Description:\n\nRed Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments. \n\nSecurity Fix(es):\n\n* operator-framework/presto: /etc/passwd was given incorrect privileges\n(CVE-2019-19352)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. Solution:\n\nFor OpenShift Container Platform 4.4 see the following documentation, which\nwill be updated shortly for release 4.4.3, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel\nease-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.4/updating/updating-cluster\n- -cli.html. Bugs fixed (https://bugzilla.redhat.com/):\n\n1793281 - CVE-2019-19352 operator-framework/presto: /etc/passwd is given incorrect privileges\n\n5. 8) - aarch64, ppc64le, s390x, x86_64\n\n3. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Important: java-1.7.1-ibm security update\nAdvisory ID: RHSA-2020:2236-01\nProduct: Red Hat Enterprise Linux Supplementary\nAdvisory URL: https://access.redhat.com/errata/RHSA-2020:2236\nIssue date: 2020-05-20\nCVE Names: CVE-2020-2654 CVE-2020-2756 CVE-2020-2757\n CVE-2020-2781 CVE-2020-2800 CVE-2020-2803\n CVE-2020-2805 CVE-2020-2830\n====================================================================\n1. Summary:\n\nAn update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux\n6 Supplementary. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64\nRed Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64\nRed Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64\nRed Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64\n\n3. Description:\n\nIBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment\nand the IBM Java Software Development Kit. \n\nSecurity Fix(es):\n\n* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)\n(CVE-2020-2803)\n\n* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries,\n8235274) (CVE-2020-2805)\n\n* OpenJDK: Excessive memory usage in OID processing in X.509 certificate\nparsing (Libraries, 8234037) (CVE-2020-2654)\n\n* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)\n(CVE-2020-2781)\n\n* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP\nServer, 8234825) (CVE-2020-2800)\n\n* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)\n(CVE-2020-2830)\n\n* OpenJDK: Incorrect handling of references to uninitialized class\ndescriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass\n(Serialization, 8224549) (CVE-2020-2757)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAll running instances of IBM Java must be restarted for this update to take\neffect. \n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1791217 - CVE-2020-2654 OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037)\n1823215 - CVE-2020-2756 OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541)\n1823216 - CVE-2020-2757 OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549)\n1823527 - CVE-2020-2800 OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825)\n1823542 - CVE-2020-2830 OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)\n1823694 - CVE-2020-2803 OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)\n1823844 - CVE-2020-2805 OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274)\n1823960 - CVE-2020-2781 OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)\n\n6. Package List:\n\nRed Hat Enterprise Linux Desktop Supplementary (v. 6):\n\ni386:\njava-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10.i686.rpm\njava-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10.i686.rpm\njava-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10.i686.rpm\njava-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10.i686.rpm\njava-1.7.1-ibm-plugin-1.7.1.4.65-1jpp.1.el6_10.i686.rpm\njava-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10.i686.rpm\n\nx86_64:\njava-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\njava-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\njava-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\njava-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\njava-1.7.1-ibm-plugin-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\njava-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\n\nRed Hat Enterprise Linux HPC Node Supplementary (v. 6):\n\nx86_64:\njava-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\njava-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\njava-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\njava-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\n\nRed Hat Enterprise Linux Server Supplementary (v. 6):\n\ni386:\njava-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10.i686.rpm\njava-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10.i686.rpm\njava-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10.i686.rpm\njava-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10.i686.rpm\njava-1.7.1-ibm-plugin-1.7.1.4.65-1jpp.1.el6_10.i686.rpm\njava-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10.i686.rpm\n\nppc64:\njava-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10.ppc64.rpm\njava-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10.ppc64.rpm\njava-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10.ppc64.rpm\njava-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10.ppc64.rpm\njava-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10.ppc64.rpm\n\ns390x:\njava-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10.s390x.rpm\njava-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10.s390x.rpm\njava-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10.s390x.rpm\njava-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10.s390x.rpm\njava-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10.s390x.rpm\n\nx86_64:\njava-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\njava-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\njava-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\njava-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\njava-1.7.1-ibm-plugin-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\njava-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Supplementary (v. 6):\n\ni386:\njava-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10.i686.rpm\njava-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10.i686.rpm\njava-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10.i686.rpm\njava-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10.i686.rpm\njava-1.7.1-ibm-plugin-1.7.1.4.65-1jpp.1.el6_10.i686.rpm\njava-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10.i686.rpm\n\nx86_64:\njava-1.7.1-ibm-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\njava-1.7.1-ibm-demo-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\njava-1.7.1-ibm-devel-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\njava-1.7.1-ibm-jdbc-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\njava-1.7.1-ibm-plugin-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\njava-1.7.1-ibm-src-1.7.1.4.65-1jpp.1.el6_10.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2020-2654\nhttps://access.redhat.com/security/cve/CVE-2020-2756\nhttps://access.redhat.com/security/cve/CVE-2020-2757\nhttps://access.redhat.com/security/cve/CVE-2020-2781\nhttps://access.redhat.com/security/cve/CVE-2020-2800\nhttps://access.redhat.com/security/cve/CVE-2020-2803\nhttps://access.redhat.com/security/cve/CVE-2020-2805\nhttps://access.redhat.com/security/cve/CVE-2020-2830\nhttps://access.redhat.com/security/updates/classification/#important\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2020 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXsU9v9zjgjWX9erEAQg8Zw/+Lg7FSdhMbVk/Qy2+8RgdcPuiPfqGcUQg\nnT6B1XuNPo8ZHONWC+2GEsV+8SJNp8vHeZmZWn5robPd/TsB25LGCk6Kx4TQPPd8\nMsGvVphXZkuIi+44R6Xj8m8CzAQLgPGrBS6fonl0fe8W/9/7ULEG327qT0Piphpy\ns9tlQWx3PAbtw7CnFBpOlTibadg0iyqif3egEhkUFkMYxTGBNn43GvKQAX3nfgNx\nFSiy8ZeAXB3u289gMmgXjJdcIxPF5KQlEsaCEU/5LB1I5YcJkleKY0YXUOaYaZ5z\n/AkKPho/WWogwWZBtBlAb3hWOft+grko+0QsDhSGLhr5c1YPq1PTYgmCzY54imnQ\nO+KBpgX61aIY9Yil+iy0uGVhC8tpIwFx4k02SlzgocNwOZu+bwGkbm34n0NIxZBL\nWapU4IbIiforzd8IFoMVst8gPe6hF+fI4OW20aUVfImOAarpr7QuirXWuDd0xZRv\nbG/SNAAFdkDVzXVwfxDVu5KyELShTJOagRvf3sZ/e22Sy3h8VuhEBV3l2UvnLpDB\ncXkD39sy6DAahaWBveCWLfBRCCiuOn/03g9lE2oTsTQPP8YCsv23wdTEMMXXXMhW\nOO6kEvVZVDtY7KL0u4KQ2f41k70O2ybLl4gLxwTmvk5VCx2xtk7Qb1gOsVPZNMA6\nQF084+zkRgg=n3I2\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4668-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nApril 28, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openjdk-8\nCVE ID : CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 \n CVE-2020-2773 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 \n CVE-2020-2805\n\nSeveral vulnerabilities have been discovered in the OpenJDK Java runtime,\nresulting in denial of service, insecure TLS handshakes, bypass of\nsandbox restrictions or HTTP response splitting attacks. \n\nFor the oldstable distribution (stretch), these problems have been fixed\nin version 8u252-b09-1~deb9u1. \n\nWe recommend that you upgrade your openjdk-8 packages. \n\nFor the detailed security status of openjdk-8 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openjdk-8\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl6ohOAACgkQEMKTtsN8\nTjauDg//dewg6ej1yoHtsiqw0vxozLnwHv+6PhzFlI2x25u7W2oBc6bRM+ZefFzm\nPh/AcWtCrtjGbPmukaFrSYXEKqmymcXS0otYH7v3FuvSDgPWou2jrZ0TuIt1ohfB\n6jszJQgfLFdQf7Ubfv1L/+fFN5rMyOVepBSbk1cI9pJWntTUprbtA5V+z1vTP9cl\n2NHGGlqAwxWHIjR/s2gKv2zoRAd46GEeEIq5e7P6xgbr/4R00JWmq/frp2wK40RT\n8rc/pcSvHq5isbJAUYuf0af5+77NZMnrQZyrLRFzpTprY1DkR7bTtFIETZJwBk2F\nqQqfo1f/hiqwdB90UXHlscVA7YxyRojJkQ57/QM0dkGTKZCxL/JyBi5B+262Qa8k\n2sgleNcPyGJjUZHNJt9C0D2TF8zBXjdqMewbu1h9jt8t7PCcgBq0EDnQdClDzESG\naTzMsM4w3ssYX41vmq3O6j90HwdFTs0lDCd1HfKK2WXgCm8IoFKdiW0ofRQdXihb\ndFizoH8yxrW9Pk9AjQoj4goaRqElEyk9hs2Sqh1HQFtHoKujxiIuoM+XQop8/9xY\ng45bWIR/jzV9AcPOUkMtGean90/qfSXAqgusXJ0mCSSP4wbvYXi04qtMmeurQFeX\n8JgNWPEehjQUzQqxLVQ4FNikIe3VG1UKwc6rPPHdwPXw4YqHJ2k=\n=Xj/N\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-2781"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004278"
},
{
"db": "VULMON",
"id": "CVE-2020-2781"
},
{
"db": "PACKETSTORM",
"id": "158101"
},
{
"db": "PACKETSTORM",
"id": "157350"
},
{
"db": "PACKETSTORM",
"id": "157351"
},
{
"db": "PACKETSTORM",
"id": "157549"
},
{
"db": "PACKETSTORM",
"id": "157779"
},
{
"db": "PACKETSTORM",
"id": "157331"
},
{
"db": "PACKETSTORM",
"id": "157776"
},
{
"db": "PACKETSTORM",
"id": "168802"
}
],
"trust": 2.43
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-2781",
"trust": 3.3
},
{
"db": "MCAFEE",
"id": "SB10318",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004278",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "158101",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "157351",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "157331",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2020.1730",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1797",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2622",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1414",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1582",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.4416",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2646",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1628",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1468",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1439",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2738",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2300",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1401",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.3108",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2113",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1984",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1746",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "157782",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "157550",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "157363",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "47993",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202004-843",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2020-2781",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "157350",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "157549",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "157779",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "157776",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "168802",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-2781"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004278"
},
{
"db": "PACKETSTORM",
"id": "158101"
},
{
"db": "PACKETSTORM",
"id": "157350"
},
{
"db": "PACKETSTORM",
"id": "157351"
},
{
"db": "PACKETSTORM",
"id": "157549"
},
{
"db": "PACKETSTORM",
"id": "157779"
},
{
"db": "PACKETSTORM",
"id": "157331"
},
{
"db": "PACKETSTORM",
"id": "157776"
},
{
"db": "PACKETSTORM",
"id": "168802"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-843"
},
{
"db": "NVD",
"id": "CVE-2020-2781"
}
]
},
"id": "VAR-202004-1071",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.27142859
},
"last_update_date": "2023-11-07T20:38:03.308000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "hitachi-sec-2020-108",
"trust": 0.8,
"url": "https://www.hitachi.co.jp/prod/comp/soft1/global/security/info/vuls/hitachi-sec-2020-108/index.html"
},
{
"title": "hitachi-sec-2020-111",
"trust": 0.8,
"url": "http://www.hitachi.co.jp/prod/comp/soft1/global/security/info/vuls/hitachi-sec-2020-111/index.html"
},
{
"title": "NTAP-20200416-0004",
"trust": 0.8,
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"title": "Oracle Critical Patch Update Advisory - April 2020",
"trust": 0.8,
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"title": "Text Form of Oracle Critical Patch Update - April 2020 Risk Matrices",
"trust": 0.8,
"url": "https://www.oracle.com/security-alerts/cpuapr2020verbose.html"
},
{
"title": "hitachi-sec-2020-111",
"trust": 0.8,
"url": "http://www.hitachi.co.jp/prod/comp/soft1/security/info/vuls/hitachi-sec-2020-111/index.html"
},
{
"title": "hitachi-sec-2020-108",
"trust": 0.8,
"url": "https://www.hitachi.co.jp/prod/comp/soft1/security/info/vuls/hitachi-sec-2020-108/index.html"
},
{
"title": "Oracle Corporation Java\u30d7\u30e9\u30b0\u30a4\u30f3\u306e\u8106\u5f31\u6027\u306b\u95a2\u3059\u308b\u304a\u77e5\u3089\u305b",
"trust": 0.8,
"url": "http://www.fmworld.net/biz/common/oracle/20200416.html"
},
{
"title": "Oracle Java SE and Java SE Embedded Security vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=113967"
},
{
"title": "Red Hat: Important: java-1.7.1-ibm security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20202238 - security advisory"
},
{
"title": "Red Hat: Important: java-1.7.0-openjdk security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201508 - security advisory"
},
{
"title": "Red Hat: Important: java-1.7.1-ibm security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20202236 - security advisory"
},
{
"title": "Red Hat: Important: java-1.7.0-openjdk security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201507 - security advisory"
},
{
"title": "Red Hat: Important: java-1.8.0-openjdk security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201515 - security advisory"
},
{
"title": "Red Hat: Important: java-1.8.0-openjdk security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201506 - security advisory"
},
{
"title": "Red Hat: Important: java-1.8.0-ibm security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20202239 - security advisory"
},
{
"title": "Red Hat: Important: java-1.8.0-openjdk security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201512 - security advisory"
},
{
"title": "Red Hat: Important: java-1.8.0-openjdk security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201516 - security advisory"
},
{
"title": "Red Hat: Important: java-11-openjdk security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201514 - security advisory"
},
{
"title": "Red Hat: Important: java-1.8.0-ibm security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20202241 - security advisory"
},
{
"title": "Red Hat: Important: java-1.8.0-ibm security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20202237 - security advisory"
},
{
"title": "Red Hat: Important: java-11-openjdk security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201517 - security advisory"
},
{
"title": "Red Hat: Important: java-11-openjdk security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201509 - security advisory"
},
{
"title": "Red Hat: Moderate: OpenShift Container Platform 4.4.3 presto-container security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201942 - security advisory"
},
{
"title": "Red Hat: Moderate: OpenShift Container Platform 4.4.3 hadoop-container security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201938 - security advisory"
},
{
"title": "IBM: Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Z Development and Test Environment \u2013 April 2020",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=34684cce4ea4ca724278f61f0e9e4d2b"
},
{
"title": "Debian Security Advisories: DSA-4668-1 openjdk-8 -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=d7cce1580c49512354cd13b73064c4ab"
},
{
"title": "Ubuntu Security Notice: openjdk-8, openjdk-lts vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=usn-4337-1"
},
{
"title": "Amazon Linux AMI: ALAS-2020-1365",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=alas-2020-1365"
},
{
"title": "Amazon Linux AMI: ALAS-2023-1809",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=alas-2023-1809"
},
{
"title": "Amazon Linux 2: ALAS2-2020-1424",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=alas2-2020-1424"
},
{
"title": "Amazon Linux 2: ALAS2-2020-1421",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=alas2-2020-1421"
},
{
"title": "Debian Security Advisories: DSA-4662-1 openjdk-11 -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=fcc7953c1496c4d2bf29bdda0aeb34d3"
},
{
"title": "IBM: Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (July 2020v1)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=4ca8040b949152189bea3a3126afcd39"
},
{
"title": "Amazon Linux 2: ALAS2-2020-1410",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=alas2-2020-1410"
},
{
"title": "Hitachi Security Advisories: Multiple Vulnerabilities in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories\u0026qid=hitachi-sec-2020-111"
},
{
"title": "Hitachi Security Advisories: Multiple Vulnerabilities in Cosminexus",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories\u0026qid=hitachi-sec-2020-108"
},
{
"title": "IBM: Security Bulletin: Multiple vulnerabilities in OpenJDK version 11 affect IBM InfoSphere Information Server",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=04093f22959e96a7bb3ed8715aa18c0e"
},
{
"title": "IBM: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=2ec7385c474071281be069b54d841de6"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2020-2781 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-2781"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004278"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-843"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-noinfo",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-2781"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.3,
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"trust": 2.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2781"
},
{
"trust": 1.8,
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"trust": 1.8,
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"trust": 1.7,
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"trust": 1.7,
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"trust": 1.7,
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"trust": 1.7,
"url": "https://www.debian.org/security/2020/dsa-4668"
},
{
"trust": 1.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/l7vhc4ew36kzeidq56rpcwbzcqelffkn/"
},
{
"trust": 1.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ckav6kffaeanxan73aftgu7z6ynrwcxq/"
},
{
"trust": 1.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/nyhhhzrhxcbgrhge5up7ueb4iz2qx536/"
},
{
"trust": 1.7,
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"trust": 1.7,
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"trust": 1.7,
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"trust": 1.7,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10318"
},
{
"trust": 1.7,
"url": "https://security.gentoo.org/glsa/202209-15"
},
{
"trust": 1.2,
"url": "https://access.redhat.com/security/cve/cve-2020-2781"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-2781"
},
{
"trust": 0.8,
"url": "https://www.ipa.go.jp/security/ciadr/vul/20200415-jre.html"
},
{
"trust": 0.8,
"url": "https://www.jpcert.or.jp/at/2020/at200017.html"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2757"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2756"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2803"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2805"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2800"
},
{
"trust": 0.7,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-z-development-and-test-environment-april-2020/"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2830"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2755"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2773"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2020-2757"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2754"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2020-2805"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.6,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2020-2830"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2020-2800"
},
{
"trust": 0.6,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2020-2756"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2020-2803"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-for-websphere-mq-internet-pass-thru-april-2020-includes-oracle-april-2020-cpu-cve-2020-2781/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1401/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-java-se-vulnerability-affects-ibm-control-center-cve-2020-2781/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-cognos-command-center-4/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1582/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-sb0003748/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-java/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-sdk-java-technology-edition-affect-ibm-rational-build-forge/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-sdk-affect-ibm-spectrum-control-cve-2020-2654-cve-2020-2781-cve-2020-2800/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2300/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-content-collector-for-email-content-collector-for-file-systems-content-collector-for-microsoft-sharepoint-and-content-collector-for-8/"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/oracle-java-openjdk-vulnerabilities-of-april-2020-32028"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-apr-2020-includes-oracle-apr-2020-cpu-minus-cve-2020-2773-affects-liberty-for-java-for-ibm-cloud/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java-sdk-and-ibm-java-runtime-affects-rational-business-developer-2/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-planning-analytics/"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/47993"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-cognos-command-center-3/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-addressed-in-ibm-cloud-pak-system-april-2020-updates-2/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1468/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-spectrum-conductor-and-ibm-spectrum-conductor-with-spark-2/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.3108/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-cognos-planning-q12021/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-affected-by-multiple-java-vulnerabilities/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-watson-machine-learning-service-is-impacted-by-security-vulnerabilities-in-openjdk-11/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-java-and-apache-tomcat-affect-ibm-san-volume-controller-ibm-storwize-ibm-spectrum-virtualize-and-ibm-flashsystem-v9000-products/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2113/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-that-affect-ibm-intelligent-operations-center-products-apr-2020/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-runtime-vulnerability-affects-ibm-sterling-secure-proxy-cve-2020-2781/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2622/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2646/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-java/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-rational-asset-analyzer-2/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-websphere-application-server-april-2020-cpu-plus-deferred-cve-2019-2949-and-cve-2020-2654/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-java-vulnerabilities-affect-ibm-spectrum-protect-plus-cve-2020-2805-cve-2020-2803-cve-2020-2830-cve-2020-2781-cve-2020-2800-cve-2020-2757-cve-2020-2756-cve-2020-275-3/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-connectdirect-web-services/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/157782/red-hat-security-advisory-2020-2241-01.html"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-in-ibm-java-sdk-april-2020-cpu-affect-multiple-ibm-continuous-engineering-products-based-on-ibm-jazz-technology-2/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-cloud-private-2/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-rational-directory-server-tivoli-rational-directory-administrator-4/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-ediscovery-analyzer-3/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-in-ibm-runtime-environment-java-version-8-affect-ibm-wiotp-messagegateway-cve-2020-2805-cve-2020-2803-cve-2020-2781-cve-2020-2755-cve-2020-2754-2/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1439/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-platform-symphony-and-ibm-spectrum-symphony-2/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-sdk-java-affects-ibm-cloud-application-business-insights/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affects-ibm-storwize-v7000-unified/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affects-websphere-application-server-april-2020-cpu-that-is-bundled-with-ibm-websphere-application-server-patterns/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/158101/gentoo-linux-security-advisory-202006-22.html"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-security-directory-server-3/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-april-2020-critical-patch-update-for-java/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-performance-management-products-7/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-infosphere-information-server/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-runtime-affects-ibm-sterling-connectdirect-for-unix-2/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.4416/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-sdk-java-technology-edition-affect-ibm-operational-decision-manager-october-2019-january-2020-and-april-2020-cpus/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2738/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-addressed-multiple-vulnerabilities-3/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1746/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-java-vulnerabilities-affect-ibm-spectrum-protect-plus-cve-2020-2805-cve-2020-2803-cve-2020-2830-cve-2020-2781-cve-2020-2800-cve-2020-2757-cve-2020-2756-cve-2020-275-2/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1730/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1984/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-apr-2020-includes-oracle-apr-2020-cpu-minus-cve-2020-2773-affects-ibm-mq/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-ibm-qradar-siem-2/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1414/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-in-ibm-java-sdk-april-2020-cpu-affect-multiple-ibm-continuous-engineering-products-based-on-ibm-jazz-technology-3/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-websphere-application-server-for-ibm-cloud-private-vm-quickstarter/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/157351/red-hat-security-advisory-2020-1515-01.html"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-in-ibm-runtime-environment-java-version-8-affect-ibm-wiotp-messagegateway-cve-2020-2805-cve-2020-2803-cve-2020-2781-cve-2020-2755-cve-2020-2754/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-and-ibm-java-runtime-affect-rational-performance-tester-primary-tabs/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-affects-the-ibm-flashsystem-models-840-and-900/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/157331/red-hat-security-advisory-2020-1514-01.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/157550/red-hat-security-advisory-2020-1938-01.html"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-security-directory-server-2/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-runtime-vulnerabilities-affect-the-ibm-spectrum-protect-backup-archive-client-ibm-spectrum-protect-for-space-management-and-ibm-spectrum-protect-for-virtual-environments/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-java-runtime-affects-ibm-sterling-connectdirect-for-microsoft-windows-3/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-storediq-instascan/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1628/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-kenexa-lms-on-premise-ibm-sdk-java-technology-edition-quarterly-cpu-apr-2020-includes-oracle-apr-2020-cpu/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-websphere-cast-iron-solution-app-connect-professional-3/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-tivoli-monitoring-2/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1797/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-cognos-command-center-5/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-have-been-identified-in-ibm-java-sdk-that-affect-ibm-security-directory-suite/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/157363/ubuntu-security-notice-usn-4337-1.html"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-sb003732/"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2020-2754"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2020-2755"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2020-2773"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2654"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-2654"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/.html"
},
{
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2020-2781"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:2238"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2585"
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:1516"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:1515"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:1942"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-19352"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-19352"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.4/updating/updating-cluster"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-2949"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-2949"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:2239"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2778"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-2767"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-2816"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-2778"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:1514"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2816"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2767"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:2236"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/openjdk-8"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-2781"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004278"
},
{
"db": "PACKETSTORM",
"id": "158101"
},
{
"db": "PACKETSTORM",
"id": "157350"
},
{
"db": "PACKETSTORM",
"id": "157351"
},
{
"db": "PACKETSTORM",
"id": "157549"
},
{
"db": "PACKETSTORM",
"id": "157779"
},
{
"db": "PACKETSTORM",
"id": "157331"
},
{
"db": "PACKETSTORM",
"id": "157776"
},
{
"db": "PACKETSTORM",
"id": "168802"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-843"
},
{
"db": "NVD",
"id": "CVE-2020-2781"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2020-2781"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-004278"
},
{
"db": "PACKETSTORM",
"id": "158101"
},
{
"db": "PACKETSTORM",
"id": "157350"
},
{
"db": "PACKETSTORM",
"id": "157351"
},
{
"db": "PACKETSTORM",
"id": "157549"
},
{
"db": "PACKETSTORM",
"id": "157779"
},
{
"db": "PACKETSTORM",
"id": "157331"
},
{
"db": "PACKETSTORM",
"id": "157776"
},
{
"db": "PACKETSTORM",
"id": "168802"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-843"
},
{
"db": "NVD",
"id": "CVE-2020-2781"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-15T00:00:00",
"db": "VULMON",
"id": "CVE-2020-2781"
},
{
"date": "2020-05-12T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-004278"
},
{
"date": "2020-06-16T00:55:56",
"db": "PACKETSTORM",
"id": "158101"
},
{
"date": "2020-04-22T15:11:05",
"db": "PACKETSTORM",
"id": "157350"
},
{
"date": "2020-04-22T15:11:12",
"db": "PACKETSTORM",
"id": "157351"
},
{
"date": "2020-05-04T17:28:54",
"db": "PACKETSTORM",
"id": "157549"
},
{
"date": "2020-05-20T16:01:16",
"db": "PACKETSTORM",
"id": "157779"
},
{
"date": "2020-04-21T20:00:19",
"db": "PACKETSTORM",
"id": "157331"
},
{
"date": "2020-05-20T15:59:45",
"db": "PACKETSTORM",
"id": "157776"
},
{
"date": "2020-04-28T19:12:00",
"db": "PACKETSTORM",
"id": "168802"
},
{
"date": "2020-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-843"
},
{
"date": "2020-04-15T14:15:00",
"db": "NVD",
"id": "CVE-2020-2781"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-09-30T00:00:00",
"db": "VULMON",
"id": "CVE-2020-2781"
},
{
"date": "2020-06-22T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-004278"
},
{
"date": "2022-09-26T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-843"
},
{
"date": "2022-09-30T14:42:00",
"db": "NVD",
"id": "CVE-2020-2781"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-843"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Oracle Java SE and Java SE Embedded In JSSE Vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-004278"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-843"
}
],
"trust": 0.6
}
}
var-202103-1464
Vulnerability from variot
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). The product supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, secure hash algorithms, etc. Summary:
Openshift Serverless 1.10.2 is now available. This version of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform version 4.5. Solution:
See the documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.5/html/serverless_applications/index
Bug Fix(es):
-
WMCO patch pub-key-hash annotation to Linux node (BZ#1945248)
-
LoadBalancer Service type with invalid external loadbalancer IP breaks the datapath (BZ#1952917)
-
Telemetry info not completely available to identify windows nodes (BZ#1955319)
-
WMCO incorrectly shows node as ready after a failed configuration (BZ#1956412)
-
kube-proxy service terminated unexpectedly after recreated LB service (BZ#1963263)
-
Solution:
For Windows Machine Config Operator upgrades, see the following documentation:
https://docs.openshift.com/container-platform/4.7/windows_containers/window s-node-upgrades.html
- Bugs fixed (https://bugzilla.redhat.com/):
1945248 - WMCO patch pub-key-hash annotation to Linux node 1946538 - CVE-2021-25736 kubernetes: LoadBalancer Service type don't create a HNS policy for empty or invalid external loadbalancer IP, what could lead to MITM 1952917 - LoadBalancer Service type with invalid external loadbalancer IP breaks the datapath 1955319 - Telemetry info not completely available to identify windows nodes 1956412 - WMCO incorrectly shows node as ready after a failed configuration 1963263 - kube-proxy service terminated unexpectedly after recreated LB service
- Description:
Red Hat Advanced Cluster Management for Kubernetes 2.0.10 images
Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in.
Bug fix:
-
RHACM 2.0.10 images (BZ #1940452)
-
Bugs fixed (https://bugzilla.redhat.com/):
1940452 - RHACM 2.0.10 images 1944286 - CVE-2021-23358 nodejs-underscore: Arbitrary code execution via the template function
- ========================================================================== Ubuntu Security Notice USN-4891-1 March 25, 2021
openssl vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
OpenSSL could be made to crash or run programs if it received specially crafted network traffic. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code.
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 20.10: libssl1.1 1.1.1f-1ubuntu4.3
Ubuntu 20.04 LTS: libssl1.1 1.1.1f-1ubuntu2.3
Ubuntu 18.04 LTS: libssl1.1 1.1.1-1ubuntu2.1~18.04.9
After a standard system update you need to reboot your computer to make all the necessary changes. 8) - aarch64, ppc64le, s390x, x86_64
- Description:
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. Package List:
Red Hat Enterprise Linux BaseOS (v. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP7 security update Advisory ID: RHSA-2021:1200-01 Product: Red Hat JBoss Core Services Advisory URL: https://access.redhat.com/errata/RHSA-2021:1200 Issue date: 2021-04-14 CVE Names: CVE-2021-3449 CVE-2021-3450 ==================================================================== 1. Summary:
Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 7 zip release for RHEL 7, RHEL 8 and Microsoft Windows is available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Description:
Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.
This release adds the new Apache HTTP Server 2.4.37 Service Pack 7 packages that are part of the JBoss Core Services offering.
This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 6 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes and enhancements included in this release.
Security fix(es):
-
openssl: NULL pointer deref in signature_algorithms processing (CVE-2021-3449)
-
openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
The References section of this erratum contains a download link for the update. You must be logged in to download the update.
- Bugs fixed (https://bugzilla.redhat.com/):
1941547 - CVE-2021-3450 openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT 1941554 - CVE-2021-3449 openssl: NULL pointer dereference in signature_algorithms processing
- References:
https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-3450 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.apachehttp&downloadType=securityPatches&version=2.4.37
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYHcRztzjgjWX9erEAQi2UA//ZnBZbF6yu43LNZh8SpIsZt25+kmRXpPO 24bitxkguIp8Mbf6aysizioKh10TgUzJAZL/xwzVGaf1YTtGXEiiQZvl+qetQhal CYcQUX9iRTbN3LL5sT0es8qIc9pXnVSh9YCRaa2i3l9KWlPWA2U0R4OfrAmGIjUe VG3tJ92HhtdeEx0VOHC+X6e7bDMoGQboT7cDJsP/xn8abWrBn9pQYfh7Ej/4qwMK 8sm6M7KcMcl2Sxjv0PB5obmZWBILWiTwHrJu6M3D6HBMJ4IdA0+DrDjf5U3NW6xp uYmmkKkw18juBkRyLBFG0Xnm8JUh9t50zRL5XbI5rcv8w+puqcuLuNWD83L+fIFE Z7eDdVaf0TYljefjbiZP/An2vjiOJ6Tm7nO79lrCI/g7Oax+/oK0/ClDpLuwVKtB hz7f5VrK2+q+qDRvXk65Ala9kMHvhkr7s2/64/UMcvqpnTSkzypFORSdj+UBevUb a+2ClrFEeokOXZxvZGQQxvu6do8roy2vrpLgNmxaDf65JZk5R4NlC3J4SbEjwBTT Wg4bnZRXHi+T8OL3fmPTnNsEMOAdH3kwUfgzIbj9o6wFzoZiKYRUk9qQv8jb1G9K x0qnCqtrwqzBBUs+ntXfTguTOba7JYx7aWH6ieBOIb5tapLJw7xOlVWbE1d29BCy CkeZnyNSON8=u60F -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202103-1464",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "graalvm",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "20.3.1.2"
},
{
"model": "mysql workbench",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.23"
},
{
"model": "simatic cloud connect 7",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": null
},
{
"model": "cloud volumes ontap mediator",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "simatic net cp 1543sp-1",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "2.1"
},
{
"model": "simatic pdm",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "9.1.0.7"
},
{
"model": "nessus network monitor",
"scope": "eq",
"trust": 1.0,
"vendor": "tenable",
"version": "5.12.1"
},
{
"model": "essbase",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "21.2"
},
{
"model": "sma100",
"scope": "gte",
"trust": 1.0,
"vendor": "sonicwall",
"version": "10.2.0.0"
},
{
"model": "multi-domain management",
"scope": "eq",
"trust": 1.0,
"vendor": "checkpoint",
"version": "r80.40"
},
{
"model": "scalance s627-2m",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "4.1"
},
{
"model": "scalance xp-200",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "4.3"
},
{
"model": "simatic process historian opc ua server",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "2019"
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "10.0.0"
},
{
"model": "simatic cp 1242-7 gprs v2",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": null
},
{
"model": "jd edwards world security",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "a9.4"
},
{
"model": "scalance xr524-8c",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "6.4"
},
{
"model": "tenable.sc",
"scope": "gte",
"trust": 1.0,
"vendor": "tenable",
"version": "5.13.0"
},
{
"model": "simatic rf188ci",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "simatic net cp 1243-1",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "3.1"
},
{
"model": "simatic rf185c",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "snapcenter",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "nessus network monitor",
"scope": "eq",
"trust": 1.0,
"vendor": "tenable",
"version": "5.13.0"
},
{
"model": "mysql connectors",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.23"
},
{
"model": "simatic net cp 1543-1",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "3.0"
},
{
"model": "tim 1531 irc",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "2.2"
},
{
"model": "secure global desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "5.6"
},
{
"model": "node.js",
"scope": "lte",
"trust": 1.0,
"vendor": "nodejs",
"version": "10.24.0"
},
{
"model": "mysql server",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "5.7.33"
},
{
"model": "scalance xr-300wg",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "4.3"
},
{
"model": "sma100",
"scope": "lt",
"trust": 1.0,
"vendor": "sonicwall",
"version": "10.2.1.0-17sv"
},
{
"model": "simatic s7-1200 cpu 1217c",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "sinamics connect 300",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "node.js",
"scope": "lte",
"trust": 1.0,
"vendor": "nodejs",
"version": "12.12.0"
},
{
"model": "nessus network monitor",
"scope": "eq",
"trust": 1.0,
"vendor": "tenable",
"version": "5.11.1"
},
{
"model": "peoplesoft enterprise peopletools",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.58"
},
{
"model": "scalance xm-400",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "6.4"
},
{
"model": "simatic net cp1243-7 lte eu",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "3.1"
},
{
"model": "quantum security gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "checkpoint",
"version": "r81"
},
{
"model": "communications communications policy management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.6.0.0.0"
},
{
"model": "simatic rf360r",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "oncommand workflow automation",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "simatic hmi comfort outdoor panels",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "simatic s7-1200 cpu 1214c",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "scalance s615",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "6.2"
},
{
"model": "mysql server",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.15"
},
{
"model": "simatic mv500",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "simatic s7-1200 cpu 1212fc",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "sinec pni",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": null
},
{
"model": "scalance xf-200ba",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "4.3"
},
{
"model": "nessus network monitor",
"scope": "eq",
"trust": 1.0,
"vendor": "tenable",
"version": "5.12.0"
},
{
"model": "simatic rf188c",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "simatic wincc runtime advanced",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "zfs storage appliance kit",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.8"
},
{
"model": "simatic s7-1200 cpu 1211c",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "nessus",
"scope": "lte",
"trust": 1.0,
"vendor": "tenable",
"version": "8.13.1"
},
{
"model": "enterprise manager for storage management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "13.4.0.0"
},
{
"model": "multi-domain management",
"scope": "eq",
"trust": 1.0,
"vendor": "checkpoint",
"version": "r81"
},
{
"model": "peoplesoft enterprise peopletools",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.59"
},
{
"model": "primavera unifier",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "17.7"
},
{
"model": "simatic hmi basic panels 2nd generation",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "primavera unifier",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "19.12"
},
{
"model": "scalance w700",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "6.5"
},
{
"model": "e-series performance analyzer",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "scalance xr552-12",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "6.4"
},
{
"model": "simatic net cp1243-7 lte us",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "3.1"
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "12.0.0"
},
{
"model": "openssl",
"scope": "gte",
"trust": 1.0,
"vendor": "openssl",
"version": "1.1.1"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "34"
},
{
"model": "graalvm",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "19.3.5"
},
{
"model": "primavera unifier",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "20.12"
},
{
"model": "node.js",
"scope": "lte",
"trust": 1.0,
"vendor": "nodejs",
"version": "14.14.0"
},
{
"model": "tenable.sc",
"scope": "lte",
"trust": 1.0,
"vendor": "tenable",
"version": "5.17.0"
},
{
"model": "web gateway cloud service",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "10.1.1"
},
{
"model": "openssl",
"scope": "lt",
"trust": 1.0,
"vendor": "openssl",
"version": "1.1.1k"
},
{
"model": "simatic rf166c",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "scalance xc-200",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "4.3"
},
{
"model": "simatic s7-1200 cpu 1215c",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "quantum security management",
"scope": "eq",
"trust": 1.0,
"vendor": "checkpoint",
"version": "r80.40"
},
{
"model": "scalance xr526-8c",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "6.4"
},
{
"model": "node.js",
"scope": "lt",
"trust": 1.0,
"vendor": "nodejs",
"version": "15.14.0"
},
{
"model": "simatic s7-1500 cpu 1518-4 pn\\/dp mfp",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "web gateway cloud service",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "9.2.10"
},
{
"model": "tim 1531 irc",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "2.0"
},
{
"model": "primavera unifier",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "17.12"
},
{
"model": "sinec infrastructure network services",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "1.0.1.1"
},
{
"model": "graalvm",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "21.0.0.2"
},
{
"model": "secure backup",
"scope": "lt",
"trust": 1.0,
"vendor": "oracle",
"version": "18.1.0.1.0"
},
{
"model": "nessus network monitor",
"scope": "eq",
"trust": 1.0,
"vendor": "tenable",
"version": "5.11.0"
},
{
"model": "storagegrid",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "peoplesoft enterprise peopletools",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.57"
},
{
"model": "scalance sc-600",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "2.0"
},
{
"model": "simatic pcs 7 telecontrol",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "simatic s7-1200 cpu 1215 fc",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "node.js",
"scope": "lt",
"trust": 1.0,
"vendor": "nodejs",
"version": "12.22.1"
},
{
"model": "simatic rf186ci",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "10.1.1"
},
{
"model": "simatic net cp 1542sp-1 irc",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "2.1"
},
{
"model": "capture client",
"scope": "eq",
"trust": 1.0,
"vendor": "sonicwall",
"version": "3.5"
},
{
"model": "simatic logon",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "1.6.0.2"
},
{
"model": "simatic wincc telecontrol",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": null
},
{
"model": "active iq unified manager",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "sonicos",
"scope": "eq",
"trust": 1.0,
"vendor": "sonicwall",
"version": "7.0.1.0"
},
{
"model": "jd edwards enterpriseone tools",
"scope": "lt",
"trust": 1.0,
"vendor": "oracle",
"version": "9.2.6.0"
},
{
"model": "oncommand insight",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "simatic pcs neo",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "scalance s623",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "4.1"
},
{
"model": "scalance lpe9403",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "simatic s7-1200 cpu 1214 fc",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "10.13.0"
},
{
"model": "log correlation engine",
"scope": "lt",
"trust": 1.0,
"vendor": "tenable",
"version": "6.0.9"
},
{
"model": "scalance m-800",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "6.2"
},
{
"model": "simatic rf186c",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "web gateway cloud service",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "8.2.19"
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "14.0.0"
},
{
"model": "primavera unifier",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "21.12"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "9.2.10"
},
{
"model": "node.js",
"scope": "lt",
"trust": 1.0,
"vendor": "nodejs",
"version": "14.16.1"
},
{
"model": "simatic hmi ktp mobile panels",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "sinema server",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "14.0"
},
{
"model": "scalance s612",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "4.1"
},
{
"model": "simatic s7-1200 cpu 1212c",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "santricity smi-s provider",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "quantum security management",
"scope": "eq",
"trust": 1.0,
"vendor": "checkpoint",
"version": "r81"
},
{
"model": "scalance xr528-6m",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "6.4"
},
{
"model": "tia administrator",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "sinec nms",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "1.0"
},
{
"model": "simatic logon",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "1.5"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 1.0,
"vendor": "freebsd",
"version": "12.2"
},
{
"model": "sinumerik opc ua server",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "mysql server",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.23"
},
{
"model": "ontap select deploy administration utility",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "scalance xb-200",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "4.3"
},
{
"model": "scalance s602",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "4.1"
},
{
"model": "ruggedcom rcm1224",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "6.2"
},
{
"model": "node.js",
"scope": "lte",
"trust": 1.0,
"vendor": "nodejs",
"version": "10.12.0"
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "12.13.0"
},
{
"model": "simatic cp 1242-7 gprs v2",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "3.1"
},
{
"model": "web gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "8.2.19"
},
{
"model": "quantum security gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "checkpoint",
"version": "r80.40"
},
{
"model": "simatic net cp 1545-1",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "1.0"
},
{
"model": "simatic cloud connect 7",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "1.1"
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "15.0.0"
},
{
"model": "simatic net cp 1243-8 irc",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "3.1"
},
{
"model": "scalance w1700",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "2.0"
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "14.15.0"
},
{
"model": "simatic net cp 1543-1",
"scope": "gte",
"trust": 1.0,
"vendor": "siemens",
"version": "2.2"
},
{
"model": "hitachi ops center analyzer viewpoint",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "storagegrid",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "ontap select deploy administration utility",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "quantum security gateway",
"scope": null,
"trust": 0.8,
"vendor": "\u30c1\u30a7\u30c3\u30af \u30dd\u30a4\u30f3\u30c8 \u30bd\u30d5\u30c8\u30a6\u30a7\u30a2 \u30c6\u30af\u30ce\u30ed\u30b8\u30fc\u30ba",
"version": null
},
{
"model": "tenable.sc",
"scope": null,
"trust": 0.8,
"vendor": "tenable",
"version": null
},
{
"model": "nessus",
"scope": null,
"trust": 0.8,
"vendor": "tenable",
"version": null
},
{
"model": "oncommand workflow automation",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "freebsd",
"scope": null,
"trust": 0.8,
"vendor": "freebsd",
"version": null
},
{
"model": "hitachi ops center common services",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "santricity smi-s provider",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "mcafee web gateway \u30bd\u30d5\u30c8\u30a6\u30a7\u30a2",
"scope": null,
"trust": 0.8,
"vendor": "\u30de\u30ab\u30d5\u30a3\u30fc",
"version": null
},
{
"model": "e-series performance analyzer",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "fedora",
"scope": null,
"trust": 0.8,
"vendor": "fedora",
"version": null
},
{
"model": "jp1/file transmission server/ftp",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "quantum security management",
"scope": null,
"trust": 0.8,
"vendor": "\u30c1\u30a7\u30c3\u30af \u30dd\u30a4\u30f3\u30c8 \u30bd\u30d5\u30c8\u30a6\u30a7\u30a2 \u30c6\u30af\u30ce\u30ed\u30b8\u30fc\u30ba",
"version": null
},
{
"model": "openssl",
"scope": null,
"trust": 0.8,
"vendor": "openssl",
"version": null
},
{
"model": "cloud volumes ontap \u30e1\u30c7\u30a3\u30a8\u30fc\u30bf",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "jp1/base",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "gnu/linux",
"scope": null,
"trust": 0.8,
"vendor": "debian",
"version": null
},
{
"model": "web gateway cloud service",
"scope": null,
"trust": 0.8,
"vendor": "\u30de\u30ab\u30d5\u30a3\u30fc",
"version": null
},
{
"model": "multi-domain management",
"scope": null,
"trust": 0.8,
"vendor": "\u30c1\u30a7\u30c3\u30af \u30dd\u30a4\u30f3\u30c8 \u30bd\u30d5\u30c8\u30a6\u30a7\u30a2 \u30c6\u30af\u30ce\u30ed\u30b8\u30fc\u30ba",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-001383"
},
{
"db": "NVD",
"id": "CVE-2021-3449"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "162694"
},
{
"db": "PACKETSTORM",
"id": "163257"
},
{
"db": "PACKETSTORM",
"id": "162383"
},
{
"db": "PACKETSTORM",
"id": "162076"
},
{
"db": "PACKETSTORM",
"id": "162013"
},
{
"db": "PACKETSTORM",
"id": "162200"
},
{
"db": "PACKETSTORM",
"id": "162197"
},
{
"db": "PACKETSTORM",
"id": "162189"
}
],
"trust": 0.8
},
"cve": "CVE-2021-3449",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2021-3449",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-388130",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 2.2,
"id": "CVE-2021-3449",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 5.9,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2021-3449",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-3449",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2021-3449",
"trust": 0.8,
"value": "Medium"
},
{
"author": "VULHUB",
"id": "VHN-388130",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-388130"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001383"
},
{
"db": "NVD",
"id": "CVE-2021-3449"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). The product supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, secure hash algorithms, etc. Summary:\n\nOpenshift Serverless 1.10.2 is now available. This version of the OpenShift Serverless\nOperator is supported on Red Hat OpenShift Container Platform version 4.5. Solution:\n\nSee the documentation at:\nhttps://access.redhat.com/documentation/en-us/openshift_container_platform/\n4.5/html/serverless_applications/index\n\n4. \n\nBug Fix(es):\n\n* WMCO patch pub-key-hash annotation to Linux node (BZ#1945248)\n\n* LoadBalancer Service type with invalid external loadbalancer IP breaks\nthe datapath (BZ#1952917)\n\n* Telemetry info not completely available to identify windows nodes\n(BZ#1955319)\n\n* WMCO incorrectly shows node as ready after a failed configuration\n(BZ#1956412)\n\n* kube-proxy service terminated unexpectedly after recreated LB service\n(BZ#1963263)\n\n3. Solution:\n\nFor Windows Machine Config Operator upgrades, see the following\ndocumentation:\n\nhttps://docs.openshift.com/container-platform/4.7/windows_containers/window\ns-node-upgrades.html\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1945248 - WMCO patch pub-key-hash annotation to Linux node\n1946538 - CVE-2021-25736 kubernetes: LoadBalancer Service type don\u0027t create a HNS policy for empty or invalid external loadbalancer IP, what could lead to MITM\n1952917 - LoadBalancer Service type with invalid external loadbalancer IP breaks the datapath\n1955319 - Telemetry info not completely available to identify windows nodes\n1956412 - WMCO incorrectly shows node as ready after a failed configuration\n1963263 - kube-proxy service terminated unexpectedly after recreated LB service\n\n5. Description:\n\nRed Hat Advanced Cluster Management for Kubernetes 2.0.10 images\n\nRed Hat Advanced Cluster Management for Kubernetes provides the\ncapabilities to address common challenges that administrators and site\nreliability engineers face as they work across a range of public and\nprivate cloud environments. Clusters and applications are all visible and\nmanaged from a single console\u2014with security policy built in. \n\nBug fix:\n\n* RHACM 2.0.10 images (BZ #1940452)\n\n3. Bugs fixed (https://bugzilla.redhat.com/):\n\n1940452 - RHACM 2.0.10 images\n1944286 - CVE-2021-23358 nodejs-underscore: Arbitrary code execution via the template function\n\n5. ==========================================================================\nUbuntu Security Notice USN-4891-1\nMarch 25, 2021\n\nopenssl vulnerability\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 20.10\n- Ubuntu 20.04 LTS\n- Ubuntu 18.04 LTS\n\nSummary:\n\nOpenSSL could be made to crash or run programs if it received specially\ncrafted network traffic. A remote attacker could use this issue to cause\nOpenSSL to crash, resulting in a denial of service, or possibly execute\narbitrary code. \n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 20.10:\n libssl1.1 1.1.1f-1ubuntu4.3\n\nUbuntu 20.04 LTS:\n libssl1.1 1.1.1f-1ubuntu2.3\n\nUbuntu 18.04 LTS:\n libssl1.1 1.1.1-1ubuntu2.1~18.04.9\n\nAfter a standard system update you need to reboot your computer to make\nall the necessary changes. 8) - aarch64, ppc64le, s390x, x86_64\n\n3. Description:\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and\nTransport Layer Security (TLS) protocols, as well as a full-strength\ngeneral-purpose cryptography library. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library\nmust be restarted, or the system rebooted. Package List:\n\nRed Hat Enterprise Linux BaseOS (v. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP7 security update\nAdvisory ID: RHSA-2021:1200-01\nProduct: Red Hat JBoss Core Services\nAdvisory URL: https://access.redhat.com/errata/RHSA-2021:1200\nIssue date: 2021-04-14\nCVE Names: CVE-2021-3449 CVE-2021-3450\n====================================================================\n1. Summary:\n\nRed Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 7 zip\nrelease for RHEL 7, RHEL 8 and Microsoft Windows is available. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Description:\n\nRed Hat JBoss Core Services is a set of supplementary software for Red Hat\nJBoss middleware products. This software, such as Apache HTTP Server, is\ncommon to multiple JBoss middleware products, and is packaged under Red Hat\nJBoss Core Services to allow for faster distribution of updates, and for a\nmore consistent update experience. \n\nThis release adds the new Apache HTTP Server 2.4.37 Service Pack 7 packages\nthat are part of the JBoss Core Services offering. \n\nThis release serves as a replacement for Red Hat JBoss Core Services Pack\nApache Server 2.4.37 Service Pack 6 and includes bug fixes and\nenhancements. Refer to the Release Notes for information on the most\nsignificant bug fixes and enhancements included in this release. \n\nSecurity fix(es):\n\n* openssl: NULL pointer deref in signature_algorithms processing\n(CVE-2021-3449)\n\n* openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT\n(CVE-2021-3450)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n3. Solution:\n\nBefore applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on. \n\nThe References section of this erratum contains a download link for the\nupdate. You must be logged in to download the update. \n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1941547 - CVE-2021-3450 openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT\n1941554 - CVE-2021-3449 openssl: NULL pointer dereference in signature_algorithms processing\n\n5. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-3449\nhttps://access.redhat.com/security/cve/CVE-2021-3450\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.apachehttp\u0026downloadType=securityPatches\u0026version=2.4.37\n\n6. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2021 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYHcRztzjgjWX9erEAQi2UA//ZnBZbF6yu43LNZh8SpIsZt25+kmRXpPO\n24bitxkguIp8Mbf6aysizioKh10TgUzJAZL/xwzVGaf1YTtGXEiiQZvl+qetQhal\nCYcQUX9iRTbN3LL5sT0es8qIc9pXnVSh9YCRaa2i3l9KWlPWA2U0R4OfrAmGIjUe\nVG3tJ92HhtdeEx0VOHC+X6e7bDMoGQboT7cDJsP/xn8abWrBn9pQYfh7Ej/4qwMK\n8sm6M7KcMcl2Sxjv0PB5obmZWBILWiTwHrJu6M3D6HBMJ4IdA0+DrDjf5U3NW6xp\nuYmmkKkw18juBkRyLBFG0Xnm8JUh9t50zRL5XbI5rcv8w+puqcuLuNWD83L+fIFE\nZ7eDdVaf0TYljefjbiZP/An2vjiOJ6Tm7nO79lrCI/g7Oax+/oK0/ClDpLuwVKtB\nhz7f5VrK2+q+qDRvXk65Ala9kMHvhkr7s2/64/UMcvqpnTSkzypFORSdj+UBevUb\na+2ClrFEeokOXZxvZGQQxvu6do8roy2vrpLgNmxaDf65JZk5R4NlC3J4SbEjwBTT\nWg4bnZRXHi+T8OL3fmPTnNsEMOAdH3kwUfgzIbj9o6wFzoZiKYRUk9qQv8jb1G9K\nx0qnCqtrwqzBBUs+ntXfTguTOba7JYx7aWH6ieBOIb5tapLJw7xOlVWbE1d29BCy\nCkeZnyNSON8=u60F\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. It is comprised of the Apache\nTomcat Servlet container, JBoss HTTP Connector (mod_cluster), the\nPicketLink Vault extension for Apache Tomcat, and the Tomcat Native\nlibrary. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-3449"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001383"
},
{
"db": "VULHUB",
"id": "VHN-388130"
},
{
"db": "PACKETSTORM",
"id": "162694"
},
{
"db": "PACKETSTORM",
"id": "163257"
},
{
"db": "PACKETSTORM",
"id": "162383"
},
{
"db": "PACKETSTORM",
"id": "162076"
},
{
"db": "PACKETSTORM",
"id": "161984"
},
{
"db": "PACKETSTORM",
"id": "162013"
},
{
"db": "PACKETSTORM",
"id": "162200"
},
{
"db": "PACKETSTORM",
"id": "162197"
},
{
"db": "PACKETSTORM",
"id": "162189"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-3449",
"trust": 2.8
},
{
"db": "TENABLE",
"id": "TNS-2021-06",
"trust": 1.1
},
{
"db": "TENABLE",
"id": "TNS-2021-09",
"trust": 1.1
},
{
"db": "TENABLE",
"id": "TNS-2021-05",
"trust": 1.1
},
{
"db": "TENABLE",
"id": "TNS-2021-10",
"trust": 1.1
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2021/03/28/3",
"trust": 1.1
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2021/03/27/2",
"trust": 1.1
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2021/03/28/4",
"trust": 1.1
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2021/03/27/1",
"trust": 1.1
},
{
"db": "SIEMENS",
"id": "SSA-772220",
"trust": 1.1
},
{
"db": "SIEMENS",
"id": "SSA-389290",
"trust": 1.1
},
{
"db": "PULSESECURE",
"id": "SA44845",
"trust": 1.1
},
{
"db": "MCAFEE",
"id": "SB10356",
"trust": 1.1
},
{
"db": "JVN",
"id": "JVNVU92126369",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001383",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "162197",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "162076",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "163257",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "162013",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "162383",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "162189",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "161984",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "162200",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "162114",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "162350",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "162041",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "162183",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "162699",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "162337",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "162151",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "162196",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "162172",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "162201",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "162307",
"trust": 0.1
},
{
"db": "SEEBUG",
"id": "SSVID-99170",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-388130",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "162694",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-388130"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001383"
},
{
"db": "PACKETSTORM",
"id": "162694"
},
{
"db": "PACKETSTORM",
"id": "163257"
},
{
"db": "PACKETSTORM",
"id": "162383"
},
{
"db": "PACKETSTORM",
"id": "162076"
},
{
"db": "PACKETSTORM",
"id": "161984"
},
{
"db": "PACKETSTORM",
"id": "162013"
},
{
"db": "PACKETSTORM",
"id": "162200"
},
{
"db": "PACKETSTORM",
"id": "162197"
},
{
"db": "PACKETSTORM",
"id": "162189"
},
{
"db": "NVD",
"id": "CVE-2021-3449"
}
]
},
"id": "VAR-202103-1464",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-388130"
}
],
"trust": 0.6742040990624999
},
"last_update_date": "2024-11-29T22:12:22.747000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "hitachi-sec-2021-119 Software product security information",
"trust": 0.8,
"url": "https://www.debian.org/security/2021/dsa-4875"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-001383"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-476",
"trust": 1.1
},
{
"problemtype": "NULL Pointer dereference (CWE-476) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-388130"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001383"
},
{
"db": "NVD",
"id": "CVE-2021-3449"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3449"
},
{
"trust": 1.1,
"url": "https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-openssl-2021-ghy28djd"
},
{
"trust": 1.1,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"trust": 1.1,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf"
},
{
"trust": 1.1,
"url": "https://kb.pulsesecure.net/articles/pulse_security_advisories/sa44845"
},
{
"trust": 1.1,
"url": "https://psirt.global.sonicwall.com/vuln-detail/snwlid-2021-0013"
},
{
"trust": 1.1,
"url": "https://security.netapp.com/advisory/ntap-20210326-0006/"
},
{
"trust": 1.1,
"url": "https://security.netapp.com/advisory/ntap-20210513-0002/"
},
{
"trust": 1.1,
"url": "https://www.openssl.org/news/secadv/20210325.txt"
},
{
"trust": 1.1,
"url": "https://www.tenable.com/security/tns-2021-05"
},
{
"trust": 1.1,
"url": "https://www.tenable.com/security/tns-2021-06"
},
{
"trust": 1.1,
"url": "https://www.tenable.com/security/tns-2021-09"
},
{
"trust": 1.1,
"url": "https://www.tenable.com/security/tns-2021-10"
},
{
"trust": 1.1,
"url": "https://www.debian.org/security/2021/dsa-4875"
},
{
"trust": 1.1,
"url": "https://security.gentoo.org/glsa/202103-03"
},
{
"trust": 1.1,
"url": "https://security.freebsd.org/advisories/freebsd-sa-21:07.openssl.asc"
},
{
"trust": 1.1,
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"trust": 1.1,
"url": "https://www.oracle.com/security-alerts/cpuapr2021.html"
},
{
"trust": 1.1,
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"trust": 1.1,
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"trust": 1.1,
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"trust": 1.1,
"url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html"
},
{
"trust": 1.1,
"url": "http://www.openwall.com/lists/oss-security/2021/03/27/1"
},
{
"trust": 1.1,
"url": "http://www.openwall.com/lists/oss-security/2021/03/27/2"
},
{
"trust": 1.1,
"url": "http://www.openwall.com/lists/oss-security/2021/03/28/3"
},
{
"trust": 1.1,
"url": "http://www.openwall.com/lists/oss-security/2021/03/28/4"
},
{
"trust": 1.0,
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3ba=commitdiff%3bh=fb9fa6b51defd48157eeb207f52181f735d96148"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ccbfllvqvilivgzmbjl3ixzgkwqisynp/"
},
{
"trust": 1.0,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10356"
},
{
"trust": 1.0,
"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu92126369/"
},
{
"trust": 0.8,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2021-3449"
},
{
"trust": 0.8,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2021-3450"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3450"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2021-20305"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20305"
},
{
"trust": 0.1,
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148"
},
{
"trust": 0.1,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026amp;id=sb10356"
},
{
"trust": 0.1,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ccbfllvqvilivgzmbjl3ixzgkwqisynp/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-20454"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20916"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-19221"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20907"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-19906"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-13050"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-20907"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13631"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14422"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-7595"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13632"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/openshift_container_platform/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-8492"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-16168"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9327"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-13630"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-20387"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.5/html/serverless_applications/index"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-5018"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20218"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-1000858"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3115"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-13050"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-14889"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-1730"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9327"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-16935"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-19906"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-13627"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-19221"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-6405"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-20388"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3114"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-20843"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-1000858"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20388"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-15903"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-20843"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:2021"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-13631"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20387"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-8492"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-5018"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-19956"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-13632"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-15903"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-14422"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-13627"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13630"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14889"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-1730"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-6405"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-19956"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-16935"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-20218"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20454"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-7595"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-16168"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-20916"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-25013"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-29362"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-25736"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-29361"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:2130"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-2708"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-8286"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-8284"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-28196"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-15358"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-27219"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15358"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-8927"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13434"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2017-14502"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.7/windows_containers/window"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-29362"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-8285"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-8285"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-14502"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-8286"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-29363"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-9169"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-10228"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-27618"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-8927"
},
{
"trust": 0.1,
"url": "https://issues.jboss.org/):"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-3842"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-13434"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3326"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-25736"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-2708"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13776"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2016-10228"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-29363"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-24977"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-3842"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-13776"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-25013"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-8231"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-9169"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3326"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-8231"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-27219"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-8284"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-24977"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-29361"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27618"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-28196"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23358"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-27363"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-15586"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3347"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-28374"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-28362"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-23358"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-27364"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-26708"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-27365"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-0466"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27152"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-27363"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-16845"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-27152"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3347"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-16845"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-27365"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-0466"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-28362"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15586"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-27364"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:1448"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-28374"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-26708"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:1063"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1~18.04.9"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu4.3"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-4891-1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.3"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:1024"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:1203"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:1200"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=core.service.apachehttp\u0026downloadtype=securitypatches\u0026version=2.4.37"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:1195"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-388130"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001383"
},
{
"db": "PACKETSTORM",
"id": "162694"
},
{
"db": "PACKETSTORM",
"id": "163257"
},
{
"db": "PACKETSTORM",
"id": "162383"
},
{
"db": "PACKETSTORM",
"id": "162076"
},
{
"db": "PACKETSTORM",
"id": "161984"
},
{
"db": "PACKETSTORM",
"id": "162013"
},
{
"db": "PACKETSTORM",
"id": "162200"
},
{
"db": "PACKETSTORM",
"id": "162197"
},
{
"db": "PACKETSTORM",
"id": "162189"
},
{
"db": "NVD",
"id": "CVE-2021-3449"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-388130"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-001383"
},
{
"db": "PACKETSTORM",
"id": "162694"
},
{
"db": "PACKETSTORM",
"id": "163257"
},
{
"db": "PACKETSTORM",
"id": "162383"
},
{
"db": "PACKETSTORM",
"id": "162076"
},
{
"db": "PACKETSTORM",
"id": "161984"
},
{
"db": "PACKETSTORM",
"id": "162013"
},
{
"db": "PACKETSTORM",
"id": "162200"
},
{
"db": "PACKETSTORM",
"id": "162197"
},
{
"db": "PACKETSTORM",
"id": "162189"
},
{
"db": "NVD",
"id": "CVE-2021-3449"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-03-25T00:00:00",
"db": "VULHUB",
"id": "VHN-388130"
},
{
"date": "2021-05-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-001383"
},
{
"date": "2021-05-19T14:19:18",
"db": "PACKETSTORM",
"id": "162694"
},
{
"date": "2021-06-23T15:44:15",
"db": "PACKETSTORM",
"id": "163257"
},
{
"date": "2021-04-29T14:37:49",
"db": "PACKETSTORM",
"id": "162383"
},
{
"date": "2021-04-05T15:16:03",
"db": "PACKETSTORM",
"id": "162076"
},
{
"date": "2021-03-26T14:15:18",
"db": "PACKETSTORM",
"id": "161984"
},
{
"date": "2021-03-30T14:07:13",
"db": "PACKETSTORM",
"id": "162013"
},
{
"date": "2021-04-15T13:50:30",
"db": "PACKETSTORM",
"id": "162200"
},
{
"date": "2021-04-15T13:50:04",
"db": "PACKETSTORM",
"id": "162197"
},
{
"date": "2021-04-14T16:50:04",
"db": "PACKETSTORM",
"id": "162189"
},
{
"date": "2021-03-25T15:15:13.450000",
"db": "NVD",
"id": "CVE-2021-3449"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-08-29T00:00:00",
"db": "VULHUB",
"id": "VHN-388130"
},
{
"date": "2021-09-13T07:43:00",
"db": "JVNDB",
"id": "JVNDB-2021-001383"
},
{
"date": "2024-11-21T06:21:33.050000",
"db": "NVD",
"id": "CVE-2021-3449"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "161984"
}
],
"trust": 0.1
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenSSL\u00a0 In \u00a0NULL\u00a0 Pointer dereference vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-001383"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "code execution",
"sources": [
{
"db": "PACKETSTORM",
"id": "162694"
},
{
"db": "PACKETSTORM",
"id": "162383"
}
],
"trust": 0.2
}
}
var-201706-0996
Vulnerability from variot
The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. Apache httpd Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Apache HTTP Server is prone to a denial-of-service vulnerability. Attackers may leverage this issue to cause a denial-of-service condition, denying service to legitimate users. Apache HTTP Server 2.2.32 and 2.4.25 are vulnerable. ========================================================================== Ubuntu Security Notice USN-3373-1 July 31, 2017
apache2 vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in Apache HTTP Server. This update adds a new ap_get_basic_auth_components() function for use by third-party modules. (CVE-2017-3167)
Vasileios Panopoulos discovered that the Apache mod_ssl module may crash when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. (CVE-2017-3169)
Javier JimA(c)nez discovered that the Apache HTTP Server incorrectly handled parsing certain requests. (CVE-2017-7679)
David Dennerline and RA(c)gis Leroy discovered that the Apache HTTP Server incorrectly handled unusual whitespace when parsing requests, contrary to specifications. This update may introduce compatibility issues with clients that do not strictly follow HTTP protocol specifications. A new configuration option "HttpProtocolOptions Unsafe" can be used to revert to the previous unsafe behaviour in problematic environments. (CVE-2016-8743)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 12.04 ESM: A apache2.2-binA A A A A A A A A A A A A A A A A A A 2.2.22-1ubuntu1.12
In general, a standard system update will make all the necessary changes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201710-32
https://security.gentoo.org/
Severity: Normal Title: Apache: Multiple vulnerabilities Date: October 29, 2017 Bugs: #622240, #624868, #631308 ID: 201710-32
Synopsis
Multiple vulnerabilities have been found in Apache, the worst of which may result in the loss of secrets.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-servers/apache < 2.4.27-r1 >= 2.4.27-r1
Description
Multiple vulnerabilities have been discovered in Apache. Please review the referenced CVE identifiers for details.
Impact
The Optionsbleed vulnerability can leak arbitrary memory from the server process that may contain secrets.
Workaround
There is no known workaround at this time.
Resolution
All Apache users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/apache-2.4.27-r1"
References
[ 1 ] CVE-2017-3167 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3167 [ 2 ] CVE-2017-3169 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3169 [ 3 ] CVE-2017-7659 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7659 [ 4 ] CVE-2017-7668 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7668 [ 5 ] CVE-2017-7679 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7679 [ 6 ] CVE-2017-9788 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9788 [ 7 ] CVE-2017-9789 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9789 [ 8 ] CVE-2017-9798 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/201710-32
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5 . 7) - x86_64
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Important: httpd24-httpd security update Advisory ID: RHSA-2017:2483-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2017:2483 Issue date: 2017-08-16 CVE Names: CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668 CVE-2017-7679 CVE-2017-9788 =====================================================================
- Summary:
An update for httpd24-httpd is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64
Security Fix(es):
-
It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788)
-
It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd. (CVE-2017-3167)
-
A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. (CVE-2017-3169)
-
A NULL pointer dereference flaw was found in the mod_http2 module of httpd. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP/2 request. (CVE-2017-7659)
-
A buffer over-read flaw was found in the httpd's ap_find_token() function. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP request. (CVE-2017-7668)
-
A buffer over-read flaw was found in the httpd's mod_mime module. A user permitted to modify httpd's MIME configuration could use this flaw to cause httpd child process to crash. (CVE-2017-7679)
-
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon will be restarted automatically.
- Bugs fixed (https://bugzilla.redhat.com/):
1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass 1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference 1463199 - CVE-2017-7659 httpd: mod_http2 NULL pointer dereference 1463205 - CVE-2017-7668 httpd: ap_find_token() buffer overread 1463207 - CVE-2017-7679 httpd: mod_mime buffer overread 1470748 - CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest
- Package List:
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):
Source: httpd24-httpd-2.4.25-9.el6.1.src.rpm
noarch: httpd24-httpd-manual-2.4.25-9.el6.1.noarch.rpm
x86_64: httpd24-httpd-2.4.25-9.el6.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.25-9.el6.1.x86_64.rpm httpd24-httpd-devel-2.4.25-9.el6.1.x86_64.rpm httpd24-httpd-tools-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_ldap-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_proxy_html-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_session-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_ssl-2.4.25-9.el6.1.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7):
Source: httpd24-httpd-2.4.25-9.el6.1.src.rpm
noarch: httpd24-httpd-manual-2.4.25-9.el6.1.noarch.rpm
x86_64: httpd24-httpd-2.4.25-9.el6.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.25-9.el6.1.x86_64.rpm httpd24-httpd-devel-2.4.25-9.el6.1.x86_64.rpm httpd24-httpd-tools-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_ldap-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_proxy_html-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_session-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_ssl-2.4.25-9.el6.1.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):
Source: httpd24-httpd-2.4.25-9.el6.1.src.rpm
noarch: httpd24-httpd-manual-2.4.25-9.el6.1.noarch.rpm
x86_64: httpd24-httpd-2.4.25-9.el6.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.25-9.el6.1.x86_64.rpm httpd24-httpd-devel-2.4.25-9.el6.1.x86_64.rpm httpd24-httpd-tools-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_ldap-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_proxy_html-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_session-2.4.25-9.el6.1.x86_64.rpm httpd24-mod_ssl-2.4.25-9.el6.1.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source: httpd24-httpd-2.4.25-9.el7.1.src.rpm
noarch: httpd24-httpd-manual-2.4.25-9.el7.1.noarch.rpm
x86_64: httpd24-httpd-2.4.25-9.el7.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.25-9.el7.1.x86_64.rpm httpd24-httpd-devel-2.4.25-9.el7.1.x86_64.rpm httpd24-httpd-tools-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_ldap-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_proxy_html-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_session-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_ssl-2.4.25-9.el7.1.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3):
Source: httpd24-httpd-2.4.25-9.el7.1.src.rpm
noarch: httpd24-httpd-manual-2.4.25-9.el7.1.noarch.rpm
x86_64: httpd24-httpd-2.4.25-9.el7.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.25-9.el7.1.x86_64.rpm httpd24-httpd-devel-2.4.25-9.el7.1.x86_64.rpm httpd24-httpd-tools-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_ldap-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_proxy_html-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_session-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_ssl-2.4.25-9.el7.1.x86_64.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source: httpd24-httpd-2.4.25-9.el7.1.src.rpm
noarch: httpd24-httpd-manual-2.4.25-9.el7.1.noarch.rpm
x86_64: httpd24-httpd-2.4.25-9.el7.1.x86_64.rpm httpd24-httpd-debuginfo-2.4.25-9.el7.1.x86_64.rpm httpd24-httpd-devel-2.4.25-9.el7.1.x86_64.rpm httpd24-httpd-tools-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_ldap-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_proxy_html-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_session-2.4.25-9.el7.1.x86_64.rpm httpd24-mod_ssl-2.4.25-9.el7.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2017-3167 https://access.redhat.com/security/cve/CVE-2017-3169 https://access.redhat.com/security/cve/CVE-2017-7659 https://access.redhat.com/security/cve/CVE-2017-7668 https://access.redhat.com/security/cve/CVE-2017-7679 https://access.redhat.com/security/cve/CVE-2017-9788 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iD8DBQFZlNCpXlSAg2UNWIIRArzwAJwNfAuroR6X18rUh+zmjiMy5iBkdwCeJF6e 4v4GwWYC+5xG0xxXzTEQyAg= =UV+2 -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . 7.2) - ppc64, ppc64le, s390x, x86_64
-
(CVE-2017-7679)
-
A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. (CVE-2017-9798)
Red Hat would like to thank Hanno BAPck for reporting CVE-2017-9798
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201706-0996",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "http server",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "2.2.32"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.6,
"vendor": "apache",
"version": "2.4.25"
},
{
"model": "enterprise linux server tus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.7"
},
{
"model": "enterprise linux eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.2"
},
{
"model": "enterprise linux eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.6"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.11.6"
},
{
"model": "enterprise linux eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.4"
},
{
"model": "enterprise linux server tus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.2"
},
{
"model": "enterprise linux server tus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.6"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.12.0"
},
{
"model": "clustered data ontap",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "enterprise linux server tus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.4"
},
{
"model": "enterprise linux workstation",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"model": "enterprise linux server",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"model": "enterprise linux eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.5"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "oncommand unified manager",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.7"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.11.6"
},
{
"model": "storagegrid",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "enterprise linux eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.3"
},
{
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.2"
},
{
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.6"
},
{
"model": "enterprise linux server tus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.3"
},
{
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.4"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.12.6"
},
{
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"model": "http server",
"scope": "eq",
"trust": 1.0,
"vendor": "apache",
"version": "2.4.24"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "8.0"
},
{
"model": "mac os x",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "10.11.0"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "10.12.6"
},
{
"model": "enterprise linux server aus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.3"
},
{
"model": "mac os x",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "10.13.1"
},
{
"model": "enterprise linux eus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.7"
},
{
"model": "secure global desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "5.3"
},
{
"model": "httpd",
"scope": null,
"trust": 0.8,
"vendor": "apache",
"version": null
},
{
"model": "spoolserver/winspool series",
"scope": "eq",
"trust": 0.8,
"vendor": "nec",
"version": "reportfiling ver5.2 ~ 6.2"
},
{
"model": "cosminexus http server",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "application server",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "application server for developers",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "automation director",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "compute systems manager",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "none"
},
{
"model": "compute systems manager",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "software"
},
{
"model": "configuration manager",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "device manager",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "software"
},
{
"model": "global link manager",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "none"
},
{
"model": "global link manager",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "software"
},
{
"model": "infrastructure analytics advisor",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "replication manager",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "none"
},
{
"model": "replication manager",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "software"
},
{
"model": "tiered storage manager",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "none"
},
{
"model": "tiered storage manager",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "software"
},
{
"model": "tuning manager",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "none"
},
{
"model": "tuning manager",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "software"
},
{
"model": "web server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "none"
},
{
"model": "web server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "- custom edition"
},
{
"model": "web server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "- security edition"
},
{
"model": "ucosminexus application server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "none"
},
{
"model": "ucosminexus application server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "(64)"
},
{
"model": "ucosminexus application server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "-r"
},
{
"model": "ucosminexus application server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "express"
},
{
"model": "ucosminexus application server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "standard-r"
},
{
"model": "ucosminexus application server enterprise",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ucosminexus application server smart edition",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ucosminexus application server standard",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ucosminexus developer",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "none"
},
{
"model": "ucosminexus developer",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "01"
},
{
"model": "ucosminexus developer",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "professional"
},
{
"model": "ucosminexus developer",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "professional for plug-in"
},
{
"model": "ucosminexus developer light",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ucosminexus developer standard",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ucosminexus primary server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "base"
},
{
"model": "ucosminexus primary server",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "base(64)"
},
{
"model": "ucosminexus service architect",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "ucosminexus service platform",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "none"
},
{
"model": "ucosminexus service platform",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "(64)"
},
{
"model": "ucosminexus service platform",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "- messaging"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.4.12"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.2.30"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.4.20"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.4.23"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.4.2"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.4.16"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.4.1"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.6,
"vendor": "apache",
"version": "2.4.17"
},
{
"model": "linux",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "16.10"
},
{
"model": "linux lts",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "16.04"
},
{
"model": "linux lts",
"scope": "eq",
"trust": 0.3,
"vendor": "ubuntu",
"version": "14.04"
},
{
"model": "software collections for rhel",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "0"
},
{
"model": "jboss core services",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "1"
},
{
"model": "enterprise linux",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "7"
},
{
"model": "i",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.1"
},
{
"model": "i",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.3"
},
{
"model": "i",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.2"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.52"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.52"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.09"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.033"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.029"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.11"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.0.0.4"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.0.0.3"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.0.0.2"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.0.0.1"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "9.0"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.9"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.8"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.7"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.6"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.5"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.4"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.3"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.11"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.10"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.1"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.0.1"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.7"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.6"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.5"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.4"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.3"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.2"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.13"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.12"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.11"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.1"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.4.27"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.5"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.39"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.27"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.25"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.21"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.19"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.17"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.15"
},
{
"model": "http server",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.13"
},
{
"model": "linux sparc",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux s/390",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux powerpc",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux mips",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux ia-64",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux ia-32",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux arm",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.25"
},
{
"model": "apache",
"scope": "eq",
"trust": 0.3,
"vendor": "apache",
"version": "2.2.32"
},
{
"model": "http server",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "9.0.0.5"
},
{
"model": "http server",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "8.5.5.12"
},
{
"model": "http server",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "8.0.0.14"
},
{
"model": "http server",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "7.0.0.45"
},
{
"model": "apache",
"scope": "ne",
"trust": 0.3,
"vendor": "apache",
"version": "2.4.26"
},
{
"model": "2.2.33-dev",
"scope": "ne",
"trust": 0.3,
"vendor": "apache",
"version": null
}
],
"sources": [
{
"db": "BID",
"id": "99137"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005025"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-787"
},
{
"db": "NVD",
"id": "CVE-2017-7668"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:apache:httpd",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:nec:spoolserver_winspool",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:cosminexus_http_server",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:hitachi_application_server",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:hitachi_application_server_for_developers",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:automation_director",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:compute_systems_manager",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:configuration_manager",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:device_manager",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:global_link_manager",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:infrastructure_analytics_advisor",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:replication_manager",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:tiered_storage_manager",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:tuning_manager",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:hitachi_web_server",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_application_server",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_application_server_enterprise",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_application_server_smart_edition",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_application_server_standard",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_developer",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_developer_light",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_developer_standard",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_primary_server",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_service_architect",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:hitachi:ucosminexus_service_platform",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-005025"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "143767"
},
{
"db": "PACKETSTORM",
"id": "143785"
},
{
"db": "PACKETSTORM",
"id": "144960"
},
{
"db": "PACKETSTORM",
"id": "144968"
}
],
"trust": 0.4
},
"cve": "CVE-2017-7668",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2017-7668",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.1,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2017-7668",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2017-7668",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2017-7668",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2017-7668",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2017-7668",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNNVD",
"id": "CNNVD-201706-787",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2017-7668",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-7668"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005025"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-787"
},
{
"db": "NVD",
"id": "CVE-2017-7668"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. Apache httpd Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Apache HTTP Server is prone to a denial-of-service vulnerability. \nAttackers may leverage this issue to cause a denial-of-service condition, denying service to legitimate users. \nApache HTTP Server 2.2.32 and 2.4.25 are vulnerable. ==========================================================================\nUbuntu Security Notice USN-3373-1\nJuly 31, 2017\n\napache2 vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 12.04 ESM\n\nSummary:\n\nSeveral security issues were fixed in Apache HTTP Server. This update adds a\nnew ap_get_basic_auth_components() function for use by third-party\nmodules. (CVE-2017-3167)\n\nVasileios Panopoulos discovered that the Apache mod_ssl module may\ncrash when third-party modules call ap_hook_process_connection() during\nan HTTP request to an HTTPS port. (CVE-2017-3169)\n\nJavier JimA(c)nez discovered that the Apache HTTP Server incorrectly\nhandled parsing certain requests. (CVE-2017-7679)\n\nDavid Dennerline and RA(c)gis Leroy discovered that the Apache HTTP Server\nincorrectly handled unusual whitespace when parsing requests, contrary\nto specifications. This update may\nintroduce compatibility issues with clients that do not strictly follow\nHTTP protocol specifications. A new configuration option\n\"HttpProtocolOptions Unsafe\" can be used to revert to the previous\nunsafe behaviour in problematic environments. (CVE-2016-8743)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 12.04 ESM:\nA apache2.2-binA A A A A A A A A A A A A A A A A A A 2.2.22-1ubuntu1.12\n\nIn general, a standard system update will make all the necessary\nchanges. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 201710-32\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: Apache: Multiple vulnerabilities\n Date: October 29, 2017\n Bugs: #622240, #624868, #631308\n ID: 201710-32\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in Apache, the worst of which\nmay result in the loss of secrets. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 www-servers/apache \u003c 2.4.27-r1 \u003e= 2.4.27-r1 \n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in Apache. Please review\nthe referenced CVE identifiers for details. \n\nImpact\n======\n\nThe Optionsbleed vulnerability can leak arbitrary memory from the\nserver process that may contain secrets. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll Apache users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=www-servers/apache-2.4.27-r1\"\n\nReferences\n==========\n\n[ 1 ] CVE-2017-3167\n https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3167\n[ 2 ] CVE-2017-3169\n https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3169\n[ 3 ] CVE-2017-7659\n https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7659\n[ 4 ] CVE-2017-7668\n https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7668\n[ 5 ] CVE-2017-7679\n https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7679\n[ 6 ] CVE-2017-9788\n https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9788\n[ 7 ] CVE-2017-9789\n https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9789\n[ 8 ] CVE-2017-9798\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/201710-32\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2017 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n. 7) - x86_64\n\n3. \n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Important: httpd24-httpd security update\nAdvisory ID: RHSA-2017:2483-01\nProduct: Red Hat Software Collections\nAdvisory URL: https://access.redhat.com/errata/RHSA-2017:2483\nIssue date: 2017-08-16\nCVE Names: CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 \n CVE-2017-7668 CVE-2017-7679 CVE-2017-9788 \n=====================================================================\n\n1. Summary:\n\nAn update for httpd24-httpd is now available for Red Hat Software\nCollections. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64\nRed Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - noarch, x86_64\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3) - noarch, x86_64\nRed Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64\nRed Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64\n\n3. \n\nSecurity Fix(es):\n\n* It was discovered that the httpd\u0027s mod_auth_digest module did not\nproperly initialize memory before using it when processing certain headers\nrelated to digest authentication. A remote attacker could possibly use this\nflaw to disclose potentially sensitive information or cause httpd child\nprocess to crash by sending specially crafted requests to a server. \n(CVE-2017-9788)\n\n* It was discovered that the use of httpd\u0027s ap_get_basic_auth_pw() API\nfunction outside of the authentication phase could lead to authentication\nbypass. A remote attacker could possibly use this flaw to bypass required\nauthentication if the API was used incorrectly by one of the modules used\nby httpd. (CVE-2017-3167)\n\n* A NULL pointer dereference flaw was found in the httpd\u0027s mod_ssl module. \nA remote attacker could use this flaw to cause an httpd child process to\ncrash if another module used by httpd called a certain API function during\nthe processing of an HTTPS request. (CVE-2017-3169)\n\n* A NULL pointer dereference flaw was found in the mod_http2 module of\nhttpd. A remote attacker could use this flaw to cause httpd child process\nto crash via a specially crafted HTTP/2 request. (CVE-2017-7659)\n\n* A buffer over-read flaw was found in the httpd\u0027s ap_find_token()\nfunction. A remote attacker could use this flaw to cause httpd child\nprocess to crash via a specially crafted HTTP request. (CVE-2017-7668)\n\n* A buffer over-read flaw was found in the httpd\u0027s mod_mime module. A user\npermitted to modify httpd\u0027s MIME configuration could use this flaw to cause\nhttpd child process to crash. (CVE-2017-7679)\n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted\nautomatically. \n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass\n1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference\n1463199 - CVE-2017-7659 httpd: mod_http2 NULL pointer dereference\n1463205 - CVE-2017-7668 httpd: ap_find_token() buffer overread\n1463207 - CVE-2017-7679 httpd: mod_mime buffer overread\n1470748 - CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest\n\n6. Package List:\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):\n\nSource:\nhttpd24-httpd-2.4.25-9.el6.1.src.rpm\n\nnoarch:\nhttpd24-httpd-manual-2.4.25-9.el6.1.noarch.rpm\n\nx86_64:\nhttpd24-httpd-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-httpd-debuginfo-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-httpd-devel-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-httpd-tools-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-mod_ldap-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-mod_proxy_html-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-mod_session-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-mod_ssl-2.4.25-9.el6.1.x86_64.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7):\n\nSource:\nhttpd24-httpd-2.4.25-9.el6.1.src.rpm\n\nnoarch:\nhttpd24-httpd-manual-2.4.25-9.el6.1.noarch.rpm\n\nx86_64:\nhttpd24-httpd-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-httpd-debuginfo-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-httpd-devel-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-httpd-tools-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-mod_ldap-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-mod_proxy_html-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-mod_session-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-mod_ssl-2.4.25-9.el6.1.x86_64.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):\n\nSource:\nhttpd24-httpd-2.4.25-9.el6.1.src.rpm\n\nnoarch:\nhttpd24-httpd-manual-2.4.25-9.el6.1.noarch.rpm\n\nx86_64:\nhttpd24-httpd-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-httpd-debuginfo-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-httpd-devel-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-httpd-tools-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-mod_ldap-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-mod_proxy_html-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-mod_session-2.4.25-9.el6.1.x86_64.rpm\nhttpd24-mod_ssl-2.4.25-9.el6.1.x86_64.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):\n\nSource:\nhttpd24-httpd-2.4.25-9.el7.1.src.rpm\n\nnoarch:\nhttpd24-httpd-manual-2.4.25-9.el7.1.noarch.rpm\n\nx86_64:\nhttpd24-httpd-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-httpd-debuginfo-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-httpd-devel-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-httpd-tools-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-mod_ldap-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-mod_proxy_html-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-mod_session-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-mod_ssl-2.4.25-9.el7.1.x86_64.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3):\n\nSource:\nhttpd24-httpd-2.4.25-9.el7.1.src.rpm\n\nnoarch:\nhttpd24-httpd-manual-2.4.25-9.el7.1.noarch.rpm\n\nx86_64:\nhttpd24-httpd-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-httpd-debuginfo-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-httpd-devel-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-httpd-tools-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-mod_ldap-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-mod_proxy_html-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-mod_session-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-mod_ssl-2.4.25-9.el7.1.x86_64.rpm\n\nRed Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nhttpd24-httpd-2.4.25-9.el7.1.src.rpm\n\nnoarch:\nhttpd24-httpd-manual-2.4.25-9.el7.1.noarch.rpm\n\nx86_64:\nhttpd24-httpd-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-httpd-debuginfo-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-httpd-devel-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-httpd-tools-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-mod_ldap-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-mod_proxy_html-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-mod_session-2.4.25-9.el7.1.x86_64.rpm\nhttpd24-mod_ssl-2.4.25-9.el7.1.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2017-3167\nhttps://access.redhat.com/security/cve/CVE-2017-3169\nhttps://access.redhat.com/security/cve/CVE-2017-7659\nhttps://access.redhat.com/security/cve/CVE-2017-7668\nhttps://access.redhat.com/security/cve/CVE-2017-7679\nhttps://access.redhat.com/security/cve/CVE-2017-9788\nhttps://access.redhat.com/security/updates/classification/#important\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2017 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niD8DBQFZlNCpXlSAg2UNWIIRArzwAJwNfAuroR6X18rUh+zmjiMy5iBkdwCeJF6e\n4v4GwWYC+5xG0xxXzTEQyAg=\n=UV+2\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. 7.2) - ppc64, ppc64le, s390x, x86_64\n\n3. (CVE-2017-7679)\n\n* A use-after-free flaw was found in the way httpd handled invalid and\npreviously unregistered HTTP methods specified in the Limit directive used\nin an .htaccess file. (CVE-2017-9798)\n\nRed Hat would like to thank Hanno BAPck for reporting CVE-2017-9798",
"sources": [
{
"db": "NVD",
"id": "CVE-2017-7668"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005025"
},
{
"db": "BID",
"id": "99137"
},
{
"db": "VULMON",
"id": "CVE-2017-7668"
},
{
"db": "PACKETSTORM",
"id": "143146"
},
{
"db": "PACKETSTORM",
"id": "143561"
},
{
"db": "PACKETSTORM",
"id": "144791"
},
{
"db": "PACKETSTORM",
"id": "143767"
},
{
"db": "PACKETSTORM",
"id": "143785"
},
{
"db": "PACKETSTORM",
"id": "144960"
},
{
"db": "PACKETSTORM",
"id": "144968"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2017-7668",
"trust": 3.5
},
{
"db": "BID",
"id": "99137",
"trust": 1.9
},
{
"db": "SECTRACK",
"id": "1038711",
"trust": 1.6
},
{
"db": "TENABLE",
"id": "TNS-2019-09",
"trust": 1.6
},
{
"db": "JVN",
"id": "JVNVU98416507",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005025",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201706-787",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2017-7668",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "143146",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "143561",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "144791",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "143767",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "143785",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "144960",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "144968",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-7668"
},
{
"db": "BID",
"id": "99137"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005025"
},
{
"db": "PACKETSTORM",
"id": "143146"
},
{
"db": "PACKETSTORM",
"id": "143561"
},
{
"db": "PACKETSTORM",
"id": "144791"
},
{
"db": "PACKETSTORM",
"id": "143767"
},
{
"db": "PACKETSTORM",
"id": "143785"
},
{
"db": "PACKETSTORM",
"id": "144960"
},
{
"db": "PACKETSTORM",
"id": "144968"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-787"
},
{
"db": "NVD",
"id": "CVE-2017-7668"
}
]
},
"id": "VAR-201706-0996",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.25
},
"last_update_date": "2024-11-29T21:52:48.656000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "hitachi-sec-2018-101",
"trust": 0.8,
"url": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-101/index.html"
},
{
"title": "hitachi-sec-2017-123",
"trust": 0.8,
"url": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-123/index.html"
},
{
"title": "NV17-014",
"trust": 0.8,
"url": "http://jpn.nec.com/security-info/secinfo/nv17-014.html"
},
{
"title": "CVE-2017-7668: ap_find_token buffer overread",
"trust": 0.8,
"url": "https://lists.apache.org/thread.html/55a068b6a5eec0b3198ae7d96a7cb412352d0ffa7716612c5af3745b@%3Cdev.httpd.apache.org%3E"
},
{
"title": "hitachi-sec-2017-123",
"trust": 0.8,
"url": "http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2017-123/index.html"
},
{
"title": "hitachi-sec-2018-101",
"trust": 0.8,
"url": "http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2018-101/index.html"
},
{
"title": "Apache httpd Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=71071"
},
{
"title": "Red Hat: Important: httpd security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20173194 - Security Advisory"
},
{
"title": "Red Hat: Important: httpd security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20173193 - Security Advisory"
},
{
"title": "Red Hat: CVE-2017-7668",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2017-7668"
},
{
"title": "Ubuntu Security Notice: apache2 vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-3340-1"
},
{
"title": "Arch Linux Issues: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2017-7668"
},
{
"title": "Ubuntu Security Notice: apache2 vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-3373-1"
},
{
"title": "Debian Security Advisories: DSA-3896-1 apache2 -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=a100e91e6529637522c4f74492953f8c"
},
{
"title": "Amazon Linux AMI: ALAS-2017-863",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2017-863"
},
{
"title": "Arch Linux Advisories: [ASA-201706-34] apache: multiple issues",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-201706-34"
},
{
"title": "Symantec Security Advisories: SA154: Apache httpd Vulnerabilities June 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=symantec_security_advisories\u0026qid=6f891c1513dfb5c26769ed38bcac6e4f"
},
{
"title": "Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - July 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins\u0026qid=a22ad41e97bbfc5abb0bb927bf43089c"
},
{
"title": "Tenable Security Advisories: [R1] Tenable.sc 5.13.0 Fixes Multiple Third-Party Vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories\u0026qid=TNS-2019-09"
},
{
"title": "Oracle Linux Bulletins: Oracle Linux Bulletin - July 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins\u0026qid=549dc795290b298746065b62b4bb7928"
},
{
"title": "Oracle: Oracle Critical Patch Update Advisory - October 2017",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories\u0026qid=523d3f220a64ff01dd95e064bd37566a"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/ducducuc111/Awesome-Vulnerability-Research "
},
{
"title": "Awesome-Vulnerability-Research",
"trust": 0.1,
"url": "https://github.com/securitychampions/Awesome-Vulnerability-Research "
},
{
"title": "Awesome-Vulnerability-Research",
"trust": 0.1,
"url": "https://github.com/malicious0x01/Awesome-Vulnerability-Research "
},
{
"title": "Awesome-Vulnerability-Research",
"trust": 0.1,
"url": "https://github.com/sergey-pronin/Awesome-Vulnerability-Research "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/sanand34/Gyoithon-Updated-Ubuntu "
},
{
"title": "GyoiThon",
"trust": 0.1,
"url": "https://github.com/gyoisamurai/GyoiThon "
},
{
"title": "fuzzing-stuff",
"trust": 0.1,
"url": "https://github.com/alphaSeclab/fuzzing-stuff "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2017-7668"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005025"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-787"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-126",
"trust": 1.0
},
{
"problemtype": "CWE-125",
"trust": 1.0
},
{
"problemtype": "CWE-20",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-005025"
},
{
"db": "NVD",
"id": "CVE-2017-7668"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "https://security.gentoo.org/glsa/201710-32"
},
{
"trust": 1.7,
"url": "https://access.redhat.com/errata/rhsa-2017:2479"
},
{
"trust": 1.7,
"url": "https://access.redhat.com/errata/rhsa-2017:2483"
},
{
"trust": 1.7,
"url": "https://access.redhat.com/errata/rhsa-2017:3193"
},
{
"trust": 1.7,
"url": "https://access.redhat.com/errata/rhsa-2017:3194"
},
{
"trust": 1.6,
"url": "https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us\u0026docid=emr_na-hpesbux03908en_us"
},
{
"trust": 1.6,
"url": "https://support.apple.com/ht208221"
},
{
"trust": 1.6,
"url": "https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us\u0026docid=emr_na-hpesbhf03821en_us"
},
{
"trust": 1.6,
"url": "https://security.netapp.com/advisory/ntap-20180601-0002/"
},
{
"trust": 1.6,
"url": "http://www.debian.org/security/2017/dsa-3896"
},
{
"trust": 1.6,
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"trust": 1.6,
"url": "http://www.securitytracker.com/id/1038711"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/99137"
},
{
"trust": 1.6,
"url": "https://www.tenable.com/security/tns-2019-09"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-7668"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/55a068b6a5eec0b3198ae7d96a7cb412352d0ffa7716612c5af3745b%40%3cdev.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 1.0,
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3ccvs.httpd.apache.org%3e"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7668"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu98416507/"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2017-7668"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-3167"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-7679"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-3169"
},
{
"trust": 0.6,
"url": "httpd.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/55a068b6a5eec0b3198ae7d96a7cb412352d0ffa7716612c5af3745b@%3cdev."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3ccvs."
},
{
"trust": 0.6,
"url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3ccvs."
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9788"
},
{
"trust": 0.4,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2017-3169"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2017-7679"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2017-3167"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2017-9788"
},
{
"trust": 0.4,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.3,
"url": "http://www.apache.org/"
},
{
"trust": 0.3,
"url": "https://httpd.apache.org/"
},
{
"trust": 0.3,
"url": "https://httpd.apache.org/security/vulnerabilities_22.html"
},
{
"trust": 0.3,
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg24043880"
},
{
"trust": 0.3,
"url": "https://launchpad.support.sap.com/#/notes/2587985"
},
{
"trust": 0.3,
"url": "https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=nas8n1022204"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg22005280"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-7659"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2017-9798"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9798"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.7-1ubuntu4.16"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.18-2ubuntu4.2"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.25-3ubuntu2.1"
},
{
"trust": 0.1,
"url": "https://www.ubuntu.com/usn/usn-3340-1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/apache2/2.4.18-2ubuntu3.3"
},
{
"trust": 0.1,
"url": "https://www.ubuntu.com/usn/usn-3373-1"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-8743"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/nvd.cfm?cvename=cve-2017-7668"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/nvd.cfm?cvename=cve-2017-3167"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9798"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/nvd.cfm?cvename=cve-2017-7679"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-9789"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/nvd.cfm?cvename=cve-2017-7659"
},
{
"trust": 0.1,
"url": "http://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/nvd.cfm?cvename=cve-2017-3169"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/nvd.cfm?cvename=cve-2017-9788"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/nvd.cfm?cvename=cve-2017-9789"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2017-7659"
}
],
"sources": [
{
"db": "BID",
"id": "99137"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005025"
},
{
"db": "PACKETSTORM",
"id": "143146"
},
{
"db": "PACKETSTORM",
"id": "143561"
},
{
"db": "PACKETSTORM",
"id": "144791"
},
{
"db": "PACKETSTORM",
"id": "143767"
},
{
"db": "PACKETSTORM",
"id": "143785"
},
{
"db": "PACKETSTORM",
"id": "144960"
},
{
"db": "PACKETSTORM",
"id": "144968"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-787"
},
{
"db": "NVD",
"id": "CVE-2017-7668"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2017-7668"
},
{
"db": "BID",
"id": "99137"
},
{
"db": "JVNDB",
"id": "JVNDB-2017-005025"
},
{
"db": "PACKETSTORM",
"id": "143146"
},
{
"db": "PACKETSTORM",
"id": "143561"
},
{
"db": "PACKETSTORM",
"id": "144791"
},
{
"db": "PACKETSTORM",
"id": "143767"
},
{
"db": "PACKETSTORM",
"id": "143785"
},
{
"db": "PACKETSTORM",
"id": "144960"
},
{
"db": "PACKETSTORM",
"id": "144968"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-787"
},
{
"db": "NVD",
"id": "CVE-2017-7668"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-06-20T00:00:00",
"db": "VULMON",
"id": "CVE-2017-7668"
},
{
"date": "2017-06-19T00:00:00",
"db": "BID",
"id": "99137"
},
{
"date": "2017-07-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-005025"
},
{
"date": "2017-06-26T23:34:52",
"db": "PACKETSTORM",
"id": "143146"
},
{
"date": "2017-07-31T18:22:22",
"db": "PACKETSTORM",
"id": "143561"
},
{
"date": "2017-10-30T15:38:41",
"db": "PACKETSTORM",
"id": "144791"
},
{
"date": "2017-08-15T22:25:00",
"db": "PACKETSTORM",
"id": "143767"
},
{
"date": "2017-08-16T23:35:53",
"db": "PACKETSTORM",
"id": "143785"
},
{
"date": "2017-11-13T22:23:00",
"db": "PACKETSTORM",
"id": "144960"
},
{
"date": "2017-11-14T04:32:05",
"db": "PACKETSTORM",
"id": "144968"
},
{
"date": "2017-06-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201706-787"
},
{
"date": "2017-06-20T01:29:00.390000",
"db": "NVD",
"id": "CVE-2017-7668"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-11-07T00:00:00",
"db": "VULMON",
"id": "CVE-2017-7668"
},
{
"date": "2018-04-10T15:00:00",
"db": "BID",
"id": "99137"
},
{
"date": "2018-01-18T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2017-005025"
},
{
"date": "2022-04-22T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201706-787"
},
{
"date": "2024-11-21T03:32:25.300000",
"db": "NVD",
"id": "CVE-2017-7668"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "143767"
},
{
"db": "PACKETSTORM",
"id": "143785"
},
{
"db": "PACKETSTORM",
"id": "144960"
},
{
"db": "PACKETSTORM",
"id": "144968"
},
{
"db": "CNNVD",
"id": "CNNVD-201706-787"
}
],
"trust": 1.0
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apache httpd Input validation vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2017-005025"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201706-787"
}
],
"trust": 0.6
}
}
var-202203-0005
Vulnerability from variot
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). OpenSSL Project Than, OpenSSL Security Advisory [15 March 2022] Has been published. Severity − High ( Severity: High ) OpenSSL of BN_mod_sqrt() Computes the square root in a finite field. BN_mod_sqrt() Has the problem of causing an infinite loop if the law is non-prime. Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). (CVE-2021-2372) Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). (CVE-2021-2389) Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.35 and prior and 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). (CVE-2021-35604) get_sort_by_table in MariaDB prior to 10.6.2 allows an application crash via certain subquery uses of ORDER BY. (CVE-2021-46657) save_window_function_values in MariaDB prior to 10.6.3 allows an application crash because of incorrect handling of with_window_func=true for a subquery. (CVE-2021-46658) MariaDB prior to 10.7.2 allows an application crash because it does not recognize that SELECT_LEX::nest_level is local to each VIEW. (CVE-2021-46659) MariaDB up to and including 10.5.9 allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE). (CVE-2021-46661) MariaDB up to and including 10.5.9 allows a set_var.cc application crash via certain uses of an UPDATE statement in conjunction with a nested subquery. (CVE-2021-46662) MariaDB up to and including 10.5.13 allows a ha_maria::extra application crash via certain SELECT statements. (CVE-2021-46663) MariaDB up to and including 10.5.9 allows an application crash in sub_select_postjoin_aggr for a NULL value of aggr. (CVE-2021-46664) MariaDB up to and including 10.5.9 allows a sql_parse.cc application crash because of incorrect used_tables expectations. (CVE-2021-46665) MariaDB prior to 10.6.2 allows an application crash because of mishandling of a pushdown from a HAVING clause to a WHERE clause. (CVE-2021-46666) An integer overflow vulnerability was found in MariaDB, where an invalid size of ref_pointer_array is allocated. This issue results in a denial of service. (CVE-2021-46667) MariaDB up to and including 10.5.9 allows an application crash via certain long SELECT DISTINCT statements that improperly interact with storage-engine resource limitations for temporary data structures. (CVE-2021-46668) A use-after-free vulnerability was found in MariaDB. This flaw allows malicious users to trigger a convert_const_to_int() use-after-free when the BIGINT data type is used, resulting in a denial of service. (CVE-2022-0778) (CVE-2022-0778) Vulnerability in the MySQL Server product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). (CVE-2022-21595) MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local malicious users to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16191. (CVE-2022-24048) MariaDB CONNECT Storage Engine Use-After-Free Privilege Escalation Vulnerability. This vulnerability allows local malicious users to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16207. (CVE-2022-24050) MariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability. This vulnerability allows local malicious users to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16193. (CVE-2022-24051) A flaw was found in MariaDB. Lack of input validation leads to a heap buffer overflow. This flaw allows an authenticated, local attacker with at least a low level of privileges to submit a crafted SQL query to MariaDB and escalate their privileges to the level of the MariaDB service user, running arbitrary code. (CVE-2022-24052) MariaDB Server v10.6.5 and below exists to contain an use-after-free in the component Item_args::walk_arg, which is exploited via specially crafted SQL statements. (CVE-2022-27376) MariaDB Server v10.6.3 and below exists to contain an use-after-free in the component Item_func_in::cleanup(), which is exploited via specially crafted SQL statements. (CVE-2022-27377) An issue in the component Create_tmp_table::finalize of MariaDB Server v10.7 and below exists to allow malicious users to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27378) An issue in the component Arg_comparator::compare_real_fixed of MariaDB Server v10.6.2 and below exists to allow malicious users to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27379) An issue in the component my_decimal::operator= of MariaDB Server v10.6.3 and below exists to allow malicious users to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27380) An issue in the component Field::set_default of MariaDB Server v10.6 and below exists to allow malicious users to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27381) MariaDB Server v10.7 and below exists to contain a segmentation fault via the component Item_field::used_tables/update_depend_map_for_order. (CVE-2022-27382) MariaDB Server v10.6 and below exists to contain an use-after-free in the component my_strcasecmp_8bit, which is exploited via specially crafted SQL statements. (CVE-2022-27383) An issue in the component Item_subselect::init_expr_cache_tracker of MariaDB Server v10.6 and below exists to allow malicious users to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27384) An issue in the component Used_tables_and_const_cache::used_tables_and_const_cache_join of MariaDB Server v10.7 and below exists to allow malicious users to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27385) MariaDB Server v10.7 and below exists to contain a segmentation fault via the component sql/sql_class.cc. (CVE-2022-27386) MariaDB Server v10.7 and below exists to contain a global buffer overflow in the component decimal_bin_size, which is exploited via specially crafted SQL statements. (CVE-2022-27387) MariaDB Server v10.9 and below exists to contain a segmentation fault via the component sql/item_subselect.cc. (CVE-2022-27444) MariaDB Server v10.9 and below exists to contain a segmentation fault via the component sql/sql_window.cc. (CVE-2022-27445) MariaDB Server v10.9 and below exists to contain a segmentation fault via the component sql/item_cmpfunc.h. (CVE-2022-27446) MariaDB Server v10.9 and below exists to contain a use-after-free via the component Binary_string::free_buffer() at /sql/sql_string.h. (CVE-2022-27447) There is an Assertion failure in MariaDB Server v10.9 and below via 'node->pcur->rel_pos == BTR_PCUR_ON' at /row/row0mysql.cc. (CVE-2022-27448) MariaDB Server v10.9 and below exists to contain a segmentation fault via the component sql/item_func.cc:148. (CVE-2022-27449) MariaDB Server v10.9 and below exists to contain a segmentation fault via the component sql/field_conv.cc. (CVE-2022-27451) MariaDB Server v10.9 and below exists to contain a segmentation fault via the component sql/item_cmpfunc.cc. (CVE-2022-27452) MariaDB Server v10.6.3 and below exists to contain an use-after-free in the component my_wildcmp_8bit_impl at /strings/ctype-simple.c. (CVE-2022-27455) MariaDB Server v10.6.3 and below exists to contain an use-after-free in the component VDec::VDec at /sql/sql_type.cc. (CVE-2022-27456) MariaDB Server v10.6.3 and below exists to contain an use-after-free in the component my_mb_wc_latin1 at /strings/ctype-latin1.c. (CVE-2022-27457) MariaDB Server v10.6.3 and below exists to contain an use-after-free in the component Binary_string::free_buffer() at /sql/sql_string.h. (CVE-2022-27458) MariaDB Server prior to 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_compress.cc, when an error occurs (pthread_create returns a nonzero value) while executing the method create_worker_threads, the held lock is not released correctly, which allows local users to trigger a denial of service due to the deadlock. (CVE-2022-31622) MariaDB Server prior to 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_compress.cc, when an error occurs (i.e., going to the err label) while executing the method create_worker_threads, the held lock thd->ctrl_mutex is not released correctly, which allows local users to trigger a denial of service due to the deadlock. (CVE-2022-31623) MariaDB Server prior to 10.7 is vulnerable to Denial of Service. While executing the plugin/server_audit/server_audit.c method log_statement_ex, the held lock lock_bigbuffer is not released correctly, which allows local users to trigger a denial of service due to the deadlock. (CVE-2022-31624) MariaDB v10.4 to v10.7 exists to contain an use-after-poison in prepare_inplace_add_virtual at /storage/innobase/handler/handler0alter.cc. (CVE-2022-32081) MariaDB v10.5 to v10.7 exists to contain an assertion failure at table->get_ref_count() == 0 in dict0dict.cc. (CVE-2022-32082) MariaDB v10.2 to v10.6.1 exists to contain a segmentation fault via the component Item_subselect::init_expr_cache_tracker. (CVE-2022-32083) MariaDB v10.2 to v10.7 exists to contain a segmentation fault via the component sub_select. (CVE-2022-32084) MariaDB v10.2 to v10.7 exists to contain a segmentation fault via the component Item_func_in::cleanup/Item::cleanup_processor. (CVE-2022-32085) MariaDB v10.4 to v10.8 exists to contain a segmentation fault via the component Item_field::fix_outer_field. (CVE-2022-32086) MariaDB v10.2 to v10.7 exists to contain a segmentation fault via the component Item_args::walk_args. (CVE-2022-32087) MariaDB v10.2 to v10.7 exists to contain a segmentation fault via the component Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort. (CVE-2022-32088) MariaDB v10.5 to v10.7 exists to contain a segmentation fault via the component st_select_lex_unit::exclude_level. (CVE-2022-32089) MariaDB v10.7 exists to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc. (CVE-2022-32091) In MariaDB prior to 10.9.2, compress_write in extra/mariabackup/ds_compress.cc does not release data_mutex upon a stream write failure, which allows local users to trigger a deadlock. (CVE-2022-38791). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: openssl security update Advisory ID: RHSA-2022:1077-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:1077 Issue date: 2022-03-28 CVE Names: CVE-2022-0778 ==================================================================== 1. Summary:
An update for openssl is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Server AUS (v. 7.7) - x86_64 Red Hat Enterprise Linux Server E4S (v. 7.7) - ppc64le, x86_64 Red Hat Enterprise Linux Server Optional AUS (v. 7.7) - x86_64 Red Hat Enterprise Linux Server Optional E4S (v. 7.7) - ppc64le, x86_64 Red Hat Enterprise Linux Server Optional TUS (v. 7.7) - x86_64 Red Hat Enterprise Linux Server TUS (v. 7.7) - x86_64
- Description:
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
Security Fix(es):
- openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (CVE-2022-0778)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
- Package List:
Red Hat Enterprise Linux Server AUS (v. 7.7):
Source: openssl-1.0.2k-21.el7_7.src.rpm
x86_64: openssl-1.0.2k-21.el7_7.x86_64.rpm openssl-debuginfo-1.0.2k-21.el7_7.i686.rpm openssl-debuginfo-1.0.2k-21.el7_7.x86_64.rpm openssl-devel-1.0.2k-21.el7_7.i686.rpm openssl-devel-1.0.2k-21.el7_7.x86_64.rpm openssl-libs-1.0.2k-21.el7_7.i686.rpm openssl-libs-1.0.2k-21.el7_7.x86_64.rpm
Red Hat Enterprise Linux Server E4S (v. 7.7):
Source: openssl-1.0.2k-21.el7_7.src.rpm
ppc64le: openssl-1.0.2k-21.el7_7.ppc64le.rpm openssl-debuginfo-1.0.2k-21.el7_7.ppc64le.rpm openssl-devel-1.0.2k-21.el7_7.ppc64le.rpm openssl-libs-1.0.2k-21.el7_7.ppc64le.rpm
x86_64: openssl-1.0.2k-21.el7_7.x86_64.rpm openssl-debuginfo-1.0.2k-21.el7_7.i686.rpm openssl-debuginfo-1.0.2k-21.el7_7.x86_64.rpm openssl-devel-1.0.2k-21.el7_7.i686.rpm openssl-devel-1.0.2k-21.el7_7.x86_64.rpm openssl-libs-1.0.2k-21.el7_7.i686.rpm openssl-libs-1.0.2k-21.el7_7.x86_64.rpm
Red Hat Enterprise Linux Server TUS (v. 7.7):
Source: openssl-1.0.2k-21.el7_7.src.rpm
x86_64: openssl-1.0.2k-21.el7_7.x86_64.rpm openssl-debuginfo-1.0.2k-21.el7_7.i686.rpm openssl-debuginfo-1.0.2k-21.el7_7.x86_64.rpm openssl-devel-1.0.2k-21.el7_7.i686.rpm openssl-devel-1.0.2k-21.el7_7.x86_64.rpm openssl-libs-1.0.2k-21.el7_7.i686.rpm openssl-libs-1.0.2k-21.el7_7.x86_64.rpm
Red Hat Enterprise Linux Server Optional AUS (v. 7.7):
x86_64: openssl-debuginfo-1.0.2k-21.el7_7.i686.rpm openssl-debuginfo-1.0.2k-21.el7_7.x86_64.rpm openssl-perl-1.0.2k-21.el7_7.x86_64.rpm openssl-static-1.0.2k-21.el7_7.i686.rpm openssl-static-1.0.2k-21.el7_7.x86_64.rpm
Red Hat Enterprise Linux Server Optional E4S (v. 7.7):
ppc64le: openssl-debuginfo-1.0.2k-21.el7_7.ppc64le.rpm openssl-perl-1.0.2k-21.el7_7.ppc64le.rpm openssl-static-1.0.2k-21.el7_7.ppc64le.rpm
x86_64: openssl-debuginfo-1.0.2k-21.el7_7.i686.rpm openssl-debuginfo-1.0.2k-21.el7_7.x86_64.rpm openssl-perl-1.0.2k-21.el7_7.x86_64.rpm openssl-static-1.0.2k-21.el7_7.i686.rpm openssl-static-1.0.2k-21.el7_7.x86_64.rpm
Red Hat Enterprise Linux Server Optional TUS (v. 7.7):
x86_64: openssl-debuginfo-1.0.2k-21.el7_7.i686.rpm openssl-debuginfo-1.0.2k-21.el7_7.x86_64.rpm openssl-perl-1.0.2k-21.el7_7.x86_64.rpm openssl-static-1.0.2k-21.el7_7.i686.rpm openssl-static-1.0.2k-21.el7_7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-0778 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYkHUr9zjgjWX9erEAQhkHQ//TKBrMV721kVVZUQwH24yK+5Owx085P9k XoKjwPfx5h/WLsQCXuGE9Ptsqdkl23zuwBkC/91HuGw2lOE/ap+fFjgZuDsCNoPy tg4qTIqRtvIkvvNF1U8JMmaahTegmAzdFCxIAYKkBMsQRIptX6tDrBgTv5279fj4 TY8RA1Kj9Z2SLXFc/rcEUqDb5yKDJ0mvGzQl9VzBx9OKJbLkUReLQRcq5X5SbAyp PICvHr9TCX5OVS870tsw+yTQD0xIDPtUY8Abcb5lCHNbA1QJSwvm+dbMErhuiWtI Rg6M9Ny5/VochcblHbfiNluI3NrbpSIqUCtz7xNeNvL1tU0pObAAgNZLunkwXE8S zy9W4U2RNFowQiBSYQe73CiI+RER0HxkolRzqoV2SeuIKQPTE/YjtSc977XvKy26 0z9qLGU+kvJiD/gh69SkTTH23y97gUE4qL92wJl+JNnFZmNHj1nRBjvY8Q1dnC+/ EJz98v1HvsScSbSSQsopgAZgJ+wJT+ZN0sZa78CLh4av/ISo6ri5dbE3C+F+JH3k cVjDU3v58rStC5M2KAIlroOhuZSUEYb4iUVEraubg2ItEeGnTCAif2msKPx7R94d SZ3MLJ3zjyZ8SKRyKbT8f0Fmn3SuxC26K4B6iQ4kiUmiYtn58OPIIygga6lJAWn1 9J7/f8KjwEA=6u6P -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
All OpenShift Container Platform 4.8 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html
- Solution:
For OpenShift Container Platform 4.8 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html
Details on how to access this content are available at https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html
- Bugs fixed (https://bugzilla.redhat.com/):
2066837 - CVE-2022-24769 moby: Default inheritable capabilities for linux container should be empty
- Description:
Service Telemetry Framework (STF) provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. Dockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally. Bugs fixed (https://bugzilla.redhat.com/):
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
-
9) - aarch64, ppc64le, s390x, x86_64
-
compat-openssl11 provides the legacy 1.1 version of OpenSSL for use with older binaries.
Bug Fix(es):
-
compat-openssl11 breaks in FIPS (BZ#2091968)
-
Bugs fixed (https://bugzilla.redhat.com/):
1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic 2000478 - Using deprecated 1.25 API calls 2022742 - NNCP creation fails when node of a cluster is unavailable 2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion 2028619 - policy/v1beta1 PodDisruptionBudget is deprecated in v1.21+, unavailable in v1.25+ 2029359 - NodeNetworkConfigurationPolicy refreshes all the conditions even if the policy has not gone to that state 2032837 - Add/remove label to priority class are not reconciled properly left HCO in Unknown status. 2033385 - Bug in kubernetes labels that are attached to the CNV logs 2038814 - [CNV-4.10-rhel9] hyperconverged-cluster-cli-download pod CrashLoopBackOff state 2039019 - Fix Top consumers dashboard 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 2046686 - Importer pod keeps in retarting when dataimportcron has a reference to invalid image sha 2049990 - must-gather: must-gather is logging errors about upstream only namespaces 2053390 - No DataImportCron for CentOS 7 2054778 - PVC created with filesystem volume mode in some cases, instead of block volume mode 2054782 - DataImportCron status does not show failure when failing to create dataSource 2055304 - [4.10.z] nmstate interprets interface names as float64 and subsequently crashes on state update 2055950 - cnv installation should set empty node selector for openshift-cnv namespace 2056421 - non-privileged user cannot add disk as it cannot update resource "virtualmachines/addvolume" 2056464 - nmstate-webhook pods getting scheduled on the same node 2056619 - [4.10.z] kubemacpool-mac-controller-manager not ready 2057142 - CDI aggregate roles missing some types 2057148 - Cross namespace smart clone may get stuck in NamespaceTransferInProgress phase 2057613 - nmpolicy capture - race condition when appying teardown nncp; nnce fails 2059185 - must-gather: Must-gather gather_vms_details is not working when used with a list of vms 2059613 - Must-gather: for vms with longer name, gather_vms_details fails to collect qemu, dump xml logs 2062227 - sriovLiveMigration should not be enabled on sno clusters 2062321 - when update attempt of hco.spec with storage classes failed, csv git stuck in installing state 2063991 - On upgraded cluster, "v2v-vmware" is present under hco.status.relatedObject 2065308 - CNV disables LiveMigration FG, but leaves LiveMigration workloadUpdateStrategy enabled 2065743 - 4.10.1 containers 2065755 - 4.10.1 rpms 2066086 - DataImportCrons do not automatically recover from unconfigured default storage class 2066712 - [4.10.z] Migration of vm from VMware reports pvc not large enough 2069055 - [4.10.z] On an upgraded cluster NetworkAddonsConfig seems to be reconciling in a loop 2070050 - [4.10.1] Custom guest PCI address and boot order parameters are not respected in a list of multiple SR-IOV NICs 2073880 - Cannot create VM on SNO cluster as live migration feature is not enabled 2077920 - Migration in sequence can be reported as failed even when it succeeded 2078878 - SSP: Common templates fix to pick right templates
This advisory covers the containers for the release. Bugs fixed (https://bugzilla.redhat.com/):
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor
2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak
2066009 - CVE-2021-44906 minimist: prototype pollution
2067387 - CVE-2022-24771 node-forge: Signature verification leniency in checking digestAlgorithm structure can lead to signature forgery
2067458 - CVE-2022-24772 node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery
2067461 - CVE-2022-24773 node-forge: Signature verification leniency in checking DigestInfo structure
- JIRA issues fixed (https://issues.jboss.org/):
OSSM-1435 - Container release for Maistra 2.1.2.1
- Description:
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References. Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied. ========================================================================== Ubuntu Security Notice USN-6457-1 October 30, 2023
nodejs vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in Node.js.
Software Description: - nodejs: An open-source, cross-platform JavaScript runtime environment.
Details:
Tavis Ormandy discovered that Node.js incorrectly handled certain inputs. (CVE-2022-0778)
Elison Niven discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. (CVE-2022-1292)
Chancen and Daniel Fiala discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. (CVE-2022-2068)
Alex Chernyakhovsky discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. (CVE-2022-2097)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 22.04 LTS: libnode-dev 12.22.9~dfsg-1ubuntu3.1 libnode72 12.22.9~dfsg-1ubuntu3.1 nodejs 12.22.9~dfsg-1ubuntu3.1 nodejs-doc 12.22.9~dfsg-1ubuntu3.1
In general, a standard system update will make all the necessary changes
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202203-0005",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "ucosminexus application server",
"scope": null,
"trust": 1.6,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "ucosminexus service platform",
"scope": null,
"trust": 1.6,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "ucosminexus primary server base",
"scope": null,
"trust": 1.6,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "500f",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "node.js",
"scope": "lt",
"trust": 1.0,
"vendor": "nodejs",
"version": "17.7.2"
},
{
"model": "openssl",
"scope": "gte",
"trust": 1.0,
"vendor": "openssl",
"version": "1.0.2"
},
{
"model": "node.js",
"scope": "lte",
"trust": 1.0,
"vendor": "nodejs",
"version": "14.14.0"
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "12.13.0"
},
{
"model": "mariadb",
"scope": "lt",
"trust": 1.0,
"vendor": "mariadb",
"version": "10.6.6"
},
{
"model": "node.js",
"scope": "gt",
"trust": 1.0,
"vendor": "nodejs",
"version": "16.0.0"
},
{
"model": "openssl",
"scope": "lt",
"trust": 1.0,
"vendor": "openssl",
"version": "3.0.2"
},
{
"model": "node.js",
"scope": "lte",
"trust": 1.0,
"vendor": "nodejs",
"version": "16.12.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "36"
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "14.15.0"
},
{
"model": "cloud volumes ontap mediator",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "mariadb",
"scope": "lt",
"trust": 1.0,
"vendor": "mariadb",
"version": "10.3.33"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "11.0"
},
{
"model": "node.js",
"scope": "lt",
"trust": 1.0,
"vendor": "nodejs",
"version": "14.19.1"
},
{
"model": "openssl",
"scope": "gte",
"trust": 1.0,
"vendor": "openssl",
"version": "1.1.0"
},
{
"model": "openssl",
"scope": "lt",
"trust": 1.0,
"vendor": "openssl",
"version": "1.1.1n"
},
{
"model": "nessus",
"scope": "gte",
"trust": 1.0,
"vendor": "tenable",
"version": "10.0.0"
},
{
"model": "mariadb",
"scope": "lt",
"trust": 1.0,
"vendor": "mariadb",
"version": "10.2.42"
},
{
"model": "node.js",
"scope": "lte",
"trust": 1.0,
"vendor": "nodejs",
"version": "12.12.0"
},
{
"model": "node.js",
"scope": "lt",
"trust": 1.0,
"vendor": "nodejs",
"version": "12.22.11"
},
{
"model": "node.js",
"scope": "gt",
"trust": 1.0,
"vendor": "nodejs",
"version": "17.0.0"
},
{
"model": "mariadb",
"scope": "gte",
"trust": 1.0,
"vendor": "mariadb",
"version": "10.5.0"
},
{
"model": "mariadb",
"scope": "lt",
"trust": 1.0,
"vendor": "mariadb",
"version": "10.7.2"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "16.13.0"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "34"
},
{
"model": "mariadb",
"scope": "gte",
"trust": 1.0,
"vendor": "mariadb",
"version": "10.2.0"
},
{
"model": "mariadb",
"scope": "gte",
"trust": 1.0,
"vendor": "mariadb",
"version": "10.3.0"
},
{
"model": "mariadb",
"scope": "gte",
"trust": 1.0,
"vendor": "mariadb",
"version": "10.4.0"
},
{
"model": "mariadb",
"scope": "gte",
"trust": 1.0,
"vendor": "mariadb",
"version": "10.6.0"
},
{
"model": "node.js",
"scope": "lt",
"trust": 1.0,
"vendor": "nodejs",
"version": "16.14.2"
},
{
"model": "nessus",
"scope": "lt",
"trust": 1.0,
"vendor": "tenable",
"version": "10.1.2"
},
{
"model": "openssl",
"scope": "lt",
"trust": 1.0,
"vendor": "openssl",
"version": "1.0.2zd"
},
{
"model": "openssl",
"scope": "gte",
"trust": 1.0,
"vendor": "openssl",
"version": "3.0.0"
},
{
"model": "a250",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "nessus",
"scope": "lt",
"trust": 1.0,
"vendor": "tenable",
"version": "8.15.4"
},
{
"model": "santricity smi-s provider",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "clustered data ontap antivirus connector",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "mariadb",
"scope": "lt",
"trust": 1.0,
"vendor": "mariadb",
"version": "10.4.23"
},
{
"model": "mariadb",
"scope": "lt",
"trust": 1.0,
"vendor": "mariadb",
"version": "10.5.14"
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "12.0.0"
},
{
"model": "mariadb",
"scope": "gte",
"trust": 1.0,
"vendor": "mariadb",
"version": "10.7.0"
},
{
"model": "storagegrid",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "clustered data ontap",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "node.js",
"scope": "gt",
"trust": 1.0,
"vendor": "nodejs",
"version": "14.0.0"
},
{
"model": "nec enhanced video analytics",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "\u65e5\u7acb\u30a2\u30c9\u30d0\u30f3\u30b9\u30c8\u30b5\u30fc\u30d0 ha8000v \u30b7\u30ea\u30fc\u30ba",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "\u65e5\u7acb\u9ad8\u4fe1\u983c\u30b5\u30fc\u30d0 rv3000",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "neoface monitor",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "ucosminexus application server-r",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "jp1/file transmission server/ftp",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "esmpro/serveragent",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "nec cyber security platform",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "openssl",
"scope": null,
"trust": 0.8,
"vendor": "openssl",
"version": null
},
{
"model": "mission critical mail",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "webotx application server",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "jp1/performance management",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "univerge",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "ix \u30eb\u30fc\u30bf",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "connexive application platform",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "jp1/base",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "nec \u30a8\u30c3\u30b8\u30b2\u30fc\u30c8\u30a6\u30a7\u30a4",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "nec ai accelerator",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "esmpro/serveragentservice",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "istoragemanager",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "webotx sip application server",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "ucosminexus service architect",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "ism\u30b5\u30fc\u30d0",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "simpwright",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "ucosminexus developer",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "connexive pf",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "cosminexus http server",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "istoragemanager express",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "witchymail",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "jp1/automatic job management system 3",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "iot \u5171\u901a\u57fa\u76e4",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
},
{
"model": "actsecure \u30dd\u30fc\u30bf\u30eb",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u672c\u96fb\u6c17",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-001476"
},
{
"db": "NVD",
"id": "CVE-2022-0778"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "166491"
},
{
"db": "PACKETSTORM",
"id": "166504"
},
{
"db": "PACKETSTORM",
"id": "166497"
},
{
"db": "PACKETSTORM",
"id": "166495"
},
{
"db": "PACKETSTORM",
"id": "167371"
},
{
"db": "PACKETSTORM",
"id": "167379"
},
{
"db": "PACKETSTORM",
"id": "168011"
},
{
"db": "PACKETSTORM",
"id": "167405"
},
{
"db": "PACKETSTORM",
"id": "167226"
},
{
"db": "PACKETSTORM",
"id": "166983"
},
{
"db": "PACKETSTORM",
"id": "167640"
},
{
"db": "PACKETSTORM",
"id": "166926"
}
],
"trust": 1.2
},
"cve": "CVE-2022-0778",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2022-0778",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2022-0778",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2022-0778",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-0778",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2022-0778",
"trust": 0.8,
"value": "High"
},
{
"author": "VULMON",
"id": "CVE-2022-0778",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-0778"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-001476"
},
{
"db": "NVD",
"id": "CVE-2022-0778"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). OpenSSL Project Than, OpenSSL Security Advisory [15 March 2022] Has been published. Severity \u2212 High ( Severity: High ) OpenSSL of BN_mod_sqrt() Computes the square root in a finite field. BN_mod_sqrt() Has the problem of causing an infinite loop if the law is non-prime. Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). (CVE-2021-2372)\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). (CVE-2021-2389)\nVulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.35 and prior and 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). (CVE-2021-35604)\nget_sort_by_table in MariaDB prior to 10.6.2 allows an application crash via certain subquery uses of ORDER BY. (CVE-2021-46657)\nsave_window_function_values in MariaDB prior to 10.6.3 allows an application crash because of incorrect handling of with_window_func=true for a subquery. (CVE-2021-46658)\nMariaDB prior to 10.7.2 allows an application crash because it does not recognize that SELECT_LEX::nest_level is local to each VIEW. (CVE-2021-46659)\nMariaDB up to and including 10.5.9 allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE). (CVE-2021-46661)\nMariaDB up to and including 10.5.9 allows a set_var.cc application crash via certain uses of an UPDATE statement in conjunction with a nested subquery. (CVE-2021-46662)\nMariaDB up to and including 10.5.13 allows a ha_maria::extra application crash via certain SELECT statements. (CVE-2021-46663)\nMariaDB up to and including 10.5.9 allows an application crash in sub_select_postjoin_aggr for a NULL value of aggr. (CVE-2021-46664)\nMariaDB up to and including 10.5.9 allows a sql_parse.cc application crash because of incorrect used_tables expectations. (CVE-2021-46665)\nMariaDB prior to 10.6.2 allows an application crash because of mishandling of a pushdown from a HAVING clause to a WHERE clause. (CVE-2021-46666)\nAn integer overflow vulnerability was found in MariaDB, where an invalid size of ref_pointer_array is allocated. This issue results in a denial of service. (CVE-2021-46667)\nMariaDB up to and including 10.5.9 allows an application crash via certain long SELECT DISTINCT statements that improperly interact with storage-engine resource limitations for temporary data structures. (CVE-2021-46668)\nA use-after-free vulnerability was found in MariaDB. This flaw allows malicious users to trigger a convert_const_to_int() use-after-free when the BIGINT data type is used, resulting in a denial of service. (CVE-2022-0778) (CVE-2022-0778)\nVulnerability in the MySQL Server product of Oracle MySQL (component: C API). Supported versions that are affected are 5.7.36 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). (CVE-2022-21595)\nMariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local malicious users to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16191. (CVE-2022-24048)\nMariaDB CONNECT Storage Engine Use-After-Free Privilege Escalation Vulnerability. This vulnerability allows local malicious users to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16207. (CVE-2022-24050)\nMariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability. This vulnerability allows local malicious users to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of a user-supplied string before using it as a format specifier. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16193. (CVE-2022-24051)\nA flaw was found in MariaDB. Lack of input validation leads to a heap buffer overflow. This flaw allows an authenticated, local attacker with at least a low level of privileges to submit a crafted SQL query to MariaDB and escalate their privileges to the level of the MariaDB service user, running arbitrary code. (CVE-2022-24052)\nMariaDB Server v10.6.5 and below exists to contain an use-after-free in the component Item_args::walk_arg, which is exploited via specially crafted SQL statements. (CVE-2022-27376)\nMariaDB Server v10.6.3 and below exists to contain an use-after-free in the component Item_func_in::cleanup(), which is exploited via specially crafted SQL statements. (CVE-2022-27377)\nAn issue in the component Create_tmp_table::finalize of MariaDB Server v10.7 and below exists to allow malicious users to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27378)\nAn issue in the component Arg_comparator::compare_real_fixed of MariaDB Server v10.6.2 and below exists to allow malicious users to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27379)\nAn issue in the component my_decimal::operator= of MariaDB Server v10.6.3 and below exists to allow malicious users to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27380)\nAn issue in the component Field::set_default of MariaDB Server v10.6 and below exists to allow malicious users to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27381)\nMariaDB Server v10.7 and below exists to contain a segmentation fault via the component Item_field::used_tables/update_depend_map_for_order. (CVE-2022-27382)\nMariaDB Server v10.6 and below exists to contain an use-after-free in the component my_strcasecmp_8bit, which is exploited via specially crafted SQL statements. (CVE-2022-27383)\nAn issue in the component Item_subselect::init_expr_cache_tracker of MariaDB Server v10.6 and below exists to allow malicious users to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27384)\nAn issue in the component Used_tables_and_const_cache::used_tables_and_const_cache_join of MariaDB Server v10.7 and below exists to allow malicious users to cause a Denial of Service (DoS) via specially crafted SQL statements. (CVE-2022-27385)\nMariaDB Server v10.7 and below exists to contain a segmentation fault via the component sql/sql_class.cc. (CVE-2022-27386)\nMariaDB Server v10.7 and below exists to contain a global buffer overflow in the component decimal_bin_size, which is exploited via specially crafted SQL statements. (CVE-2022-27387)\nMariaDB Server v10.9 and below exists to contain a segmentation fault via the component sql/item_subselect.cc. (CVE-2022-27444)\nMariaDB Server v10.9 and below exists to contain a segmentation fault via the component sql/sql_window.cc. (CVE-2022-27445)\nMariaDB Server v10.9 and below exists to contain a segmentation fault via the component sql/item_cmpfunc.h. (CVE-2022-27446)\nMariaDB Server v10.9 and below exists to contain a use-after-free via the component Binary_string::free_buffer() at /sql/sql_string.h. (CVE-2022-27447)\nThere is an Assertion failure in MariaDB Server v10.9 and below via \u0027node-\u0026gt;pcur-\u0026gt;rel_pos == BTR_PCUR_ON\u0027 at /row/row0mysql.cc. (CVE-2022-27448)\nMariaDB Server v10.9 and below exists to contain a segmentation fault via the component sql/item_func.cc:148. (CVE-2022-27449)\nMariaDB Server v10.9 and below exists to contain a segmentation fault via the component sql/field_conv.cc. (CVE-2022-27451)\nMariaDB Server v10.9 and below exists to contain a segmentation fault via the component sql/item_cmpfunc.cc. (CVE-2022-27452)\nMariaDB Server v10.6.3 and below exists to contain an use-after-free in the component my_wildcmp_8bit_impl at /strings/ctype-simple.c. (CVE-2022-27455)\nMariaDB Server v10.6.3 and below exists to contain an use-after-free in the component VDec::VDec at /sql/sql_type.cc. (CVE-2022-27456)\nMariaDB Server v10.6.3 and below exists to contain an use-after-free in the component my_mb_wc_latin1 at /strings/ctype-latin1.c. (CVE-2022-27457)\nMariaDB Server v10.6.3 and below exists to contain an use-after-free in the component Binary_string::free_buffer() at /sql/sql_string.h. (CVE-2022-27458)\nMariaDB Server prior to 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_compress.cc, when an error occurs (pthread_create returns a nonzero value) while executing the method create_worker_threads, the held lock is not released correctly, which allows local users to trigger a denial of service due to the deadlock. (CVE-2022-31622)\nMariaDB Server prior to 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_compress.cc, when an error occurs (i.e., going to the err label) while executing the method create_worker_threads, the held lock thd-\u0026gt;ctrl_mutex is not released correctly, which allows local users to trigger a denial of service due to the deadlock. (CVE-2022-31623)\nMariaDB Server prior to 10.7 is vulnerable to Denial of Service. While executing the plugin/server_audit/server_audit.c method log_statement_ex, the held lock lock_bigbuffer is not released correctly, which allows local users to trigger a denial of service due to the deadlock. (CVE-2022-31624)\nMariaDB v10.4 to v10.7 exists to contain an use-after-poison in prepare_inplace_add_virtual at /storage/innobase/handler/handler0alter.cc. (CVE-2022-32081)\nMariaDB v10.5 to v10.7 exists to contain an assertion failure at table-\u0026gt;get_ref_count() == 0 in dict0dict.cc. (CVE-2022-32082)\nMariaDB v10.2 to v10.6.1 exists to contain a segmentation fault via the component Item_subselect::init_expr_cache_tracker. (CVE-2022-32083)\nMariaDB v10.2 to v10.7 exists to contain a segmentation fault via the component sub_select. (CVE-2022-32084)\nMariaDB v10.2 to v10.7 exists to contain a segmentation fault via the component Item_func_in::cleanup/Item::cleanup_processor. (CVE-2022-32085)\nMariaDB v10.4 to v10.8 exists to contain a segmentation fault via the component Item_field::fix_outer_field. (CVE-2022-32086)\nMariaDB v10.2 to v10.7 exists to contain a segmentation fault via the component Item_args::walk_args. (CVE-2022-32087)\nMariaDB v10.2 to v10.7 exists to contain a segmentation fault via the component Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort. (CVE-2022-32088)\nMariaDB v10.5 to v10.7 exists to contain a segmentation fault via the component st_select_lex_unit::exclude_level. (CVE-2022-32089)\nMariaDB v10.7 exists to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc. (CVE-2022-32091)\nIn MariaDB prior to 10.9.2, compress_write in extra/mariabackup/ds_compress.cc does not release data_mutex upon a stream write failure, which allows local users to trigger a deadlock. (CVE-2022-38791). -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Important: openssl security update\nAdvisory ID: RHSA-2022:1077-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2022:1077\nIssue date: 2022-03-28\nCVE Names: CVE-2022-0778\n====================================================================\n1. Summary:\n\nAn update for openssl is now available for Red Hat Enterprise Linux 7.7\nAdvanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update\nSupport, and Red Hat Enterprise Linux 7.7 Update Services for SAP\nSolutions. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Server AUS (v. 7.7) - x86_64\nRed Hat Enterprise Linux Server E4S (v. 7.7) - ppc64le, x86_64\nRed Hat Enterprise Linux Server Optional AUS (v. 7.7) - x86_64\nRed Hat Enterprise Linux Server Optional E4S (v. 7.7) - ppc64le, x86_64\nRed Hat Enterprise Linux Server Optional TUS (v. 7.7) - x86_64\nRed Hat Enterprise Linux Server TUS (v. 7.7) - x86_64\n\n3. Description:\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and\nTransport Layer Security (TLS) protocols, as well as a full-strength\ngeneral-purpose cryptography library. \n\nSecurity Fix(es):\n\n* openssl: Infinite loop in BN_mod_sqrt() reachable when parsing\ncertificates (CVE-2022-0778)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library\nmust be restarted, or the system rebooted. \n\n5. Package List:\n\nRed Hat Enterprise Linux Server AUS (v. 7.7):\n\nSource:\nopenssl-1.0.2k-21.el7_7.src.rpm\n\nx86_64:\nopenssl-1.0.2k-21.el7_7.x86_64.rpm\nopenssl-debuginfo-1.0.2k-21.el7_7.i686.rpm\nopenssl-debuginfo-1.0.2k-21.el7_7.x86_64.rpm\nopenssl-devel-1.0.2k-21.el7_7.i686.rpm\nopenssl-devel-1.0.2k-21.el7_7.x86_64.rpm\nopenssl-libs-1.0.2k-21.el7_7.i686.rpm\nopenssl-libs-1.0.2k-21.el7_7.x86_64.rpm\n\nRed Hat Enterprise Linux Server E4S (v. 7.7):\n\nSource:\nopenssl-1.0.2k-21.el7_7.src.rpm\n\nppc64le:\nopenssl-1.0.2k-21.el7_7.ppc64le.rpm\nopenssl-debuginfo-1.0.2k-21.el7_7.ppc64le.rpm\nopenssl-devel-1.0.2k-21.el7_7.ppc64le.rpm\nopenssl-libs-1.0.2k-21.el7_7.ppc64le.rpm\n\nx86_64:\nopenssl-1.0.2k-21.el7_7.x86_64.rpm\nopenssl-debuginfo-1.0.2k-21.el7_7.i686.rpm\nopenssl-debuginfo-1.0.2k-21.el7_7.x86_64.rpm\nopenssl-devel-1.0.2k-21.el7_7.i686.rpm\nopenssl-devel-1.0.2k-21.el7_7.x86_64.rpm\nopenssl-libs-1.0.2k-21.el7_7.i686.rpm\nopenssl-libs-1.0.2k-21.el7_7.x86_64.rpm\n\nRed Hat Enterprise Linux Server TUS (v. 7.7):\n\nSource:\nopenssl-1.0.2k-21.el7_7.src.rpm\n\nx86_64:\nopenssl-1.0.2k-21.el7_7.x86_64.rpm\nopenssl-debuginfo-1.0.2k-21.el7_7.i686.rpm\nopenssl-debuginfo-1.0.2k-21.el7_7.x86_64.rpm\nopenssl-devel-1.0.2k-21.el7_7.i686.rpm\nopenssl-devel-1.0.2k-21.el7_7.x86_64.rpm\nopenssl-libs-1.0.2k-21.el7_7.i686.rpm\nopenssl-libs-1.0.2k-21.el7_7.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional AUS (v. 7.7):\n\nx86_64:\nopenssl-debuginfo-1.0.2k-21.el7_7.i686.rpm\nopenssl-debuginfo-1.0.2k-21.el7_7.x86_64.rpm\nopenssl-perl-1.0.2k-21.el7_7.x86_64.rpm\nopenssl-static-1.0.2k-21.el7_7.i686.rpm\nopenssl-static-1.0.2k-21.el7_7.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional E4S (v. 7.7):\n\nppc64le:\nopenssl-debuginfo-1.0.2k-21.el7_7.ppc64le.rpm\nopenssl-perl-1.0.2k-21.el7_7.ppc64le.rpm\nopenssl-static-1.0.2k-21.el7_7.ppc64le.rpm\n\nx86_64:\nopenssl-debuginfo-1.0.2k-21.el7_7.i686.rpm\nopenssl-debuginfo-1.0.2k-21.el7_7.x86_64.rpm\nopenssl-perl-1.0.2k-21.el7_7.x86_64.rpm\nopenssl-static-1.0.2k-21.el7_7.i686.rpm\nopenssl-static-1.0.2k-21.el7_7.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional TUS (v. 7.7):\n\nx86_64:\nopenssl-debuginfo-1.0.2k-21.el7_7.i686.rpm\nopenssl-debuginfo-1.0.2k-21.el7_7.x86_64.rpm\nopenssl-perl-1.0.2k-21.el7_7.x86_64.rpm\nopenssl-static-1.0.2k-21.el7_7.i686.rpm\nopenssl-static-1.0.2k-21.el7_7.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2022-0778\nhttps://access.redhat.com/security/updates/classification/#important\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2022 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYkHUr9zjgjWX9erEAQhkHQ//TKBrMV721kVVZUQwH24yK+5Owx085P9k\nXoKjwPfx5h/WLsQCXuGE9Ptsqdkl23zuwBkC/91HuGw2lOE/ap+fFjgZuDsCNoPy\ntg4qTIqRtvIkvvNF1U8JMmaahTegmAzdFCxIAYKkBMsQRIptX6tDrBgTv5279fj4\nTY8RA1Kj9Z2SLXFc/rcEUqDb5yKDJ0mvGzQl9VzBx9OKJbLkUReLQRcq5X5SbAyp\nPICvHr9TCX5OVS870tsw+yTQD0xIDPtUY8Abcb5lCHNbA1QJSwvm+dbMErhuiWtI\nRg6M9Ny5/VochcblHbfiNluI3NrbpSIqUCtz7xNeNvL1tU0pObAAgNZLunkwXE8S\nzy9W4U2RNFowQiBSYQe73CiI+RER0HxkolRzqoV2SeuIKQPTE/YjtSc977XvKy26\n0z9qLGU+kvJiD/gh69SkTTH23y97gUE4qL92wJl+JNnFZmNHj1nRBjvY8Q1dnC+/\nEJz98v1HvsScSbSSQsopgAZgJ+wJT+ZN0sZa78CLh4av/ISo6ri5dbE3C+F+JH3k\ncVjDU3v58rStC5M2KAIlroOhuZSUEYb4iUVEraubg2ItEeGnTCAif2msKPx7R94d\nSZ3MLJ3zjyZ8SKRyKbT8f0Fmn3SuxC26K4B6iQ4kiUmiYtn58OPIIygga6lJAWn1\n9J7/f8KjwEA=6u6P\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. Description:\n\nRed Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments. \n\nAll OpenShift Container Platform 4.8 users are advised to upgrade to these\nupdated packages and images when they are available in the appropriate\nrelease channel. To check for available updates, use the OpenShift Console\nor the CLI oc command. Instructions for upgrading a cluster are available\nat\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html\n\n3. Solution:\n\nFor OpenShift Container Platform 4.8 see the following documentation, which\nwill be updated shortly for this release, for important instructions on how\nto upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n2066837 - CVE-2022-24769 moby: Default inheritable capabilities for linux container should be empty\n\n5. Description:\n\nService Telemetry Framework (STF) provides automated collection of\nmeasurements and data from remote clients, such as Red Hat OpenStack\nPlatform or third-party nodes. \nDockerfiles and scripts should be amended either to refer to this new image\nspecifically, or to the latest image generally. Bugs fixed (https://bugzilla.redhat.com/):\n\n2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read\n\n5. 9) - aarch64, ppc64le, s390x, x86_64\n\n3. compat-openssl11 provides the legacy\n1.1 version of OpenSSL for use with older binaries. \n\nBug Fix(es):\n\n* compat-openssl11 breaks in FIPS (BZ#2091968)\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic\n2000478 - Using deprecated 1.25 API calls\n2022742 - NNCP creation fails when node of a cluster is unavailable\n2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion\n2028619 - policy/v1beta1 PodDisruptionBudget is deprecated in v1.21+, unavailable in v1.25+\n2029359 - NodeNetworkConfigurationPolicy refreshes all the conditions even if the policy has not gone to that state\n2032837 - Add/remove label to priority class are not reconciled properly left HCO in Unknown status. \n2033385 - Bug in kubernetes labels that are attached to the CNV logs\n2038814 - [CNV-4.10-rhel9] hyperconverged-cluster-cli-download pod CrashLoopBackOff state\n2039019 - Fix Top consumers dashboard\n2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter\n2046686 - Importer pod keeps in retarting when dataimportcron has a reference to invalid image sha\n2049990 - must-gather: must-gather is logging errors about upstream only namespaces\n2053390 - No DataImportCron for CentOS 7\n2054778 - PVC created with filesystem volume mode in some cases, instead of block volume mode\n2054782 - DataImportCron status does not show failure when failing to create dataSource\n2055304 - [4.10.z] nmstate interprets interface names as float64 and subsequently crashes on state update\n2055950 - cnv installation should set empty node selector for openshift-cnv namespace\n2056421 - non-privileged user cannot add disk as it cannot update resource \"virtualmachines/addvolume\"\n2056464 - nmstate-webhook pods getting scheduled on the same node\n2056619 - [4.10.z] kubemacpool-mac-controller-manager not ready\n2057142 - CDI aggregate roles missing some types\n2057148 - Cross namespace smart clone may get stuck in NamespaceTransferInProgress phase\n2057613 - nmpolicy capture - race condition when appying teardown nncp; nnce fails\n2059185 - must-gather: Must-gather gather_vms_details is not working when used with a list of vms\n2059613 - Must-gather: for vms with longer name, gather_vms_details fails to collect qemu, dump xml logs\n2062227 - sriovLiveMigration should not be enabled on sno clusters\n2062321 - when update attempt of hco.spec with storage classes failed, csv git stuck in installing state\n2063991 - On upgraded cluster, \"v2v-vmware\" is present under hco.status.relatedObject\n2065308 - CNV disables LiveMigration FG, but leaves LiveMigration workloadUpdateStrategy enabled\n2065743 - 4.10.1 containers\n2065755 - 4.10.1 rpms\n2066086 - DataImportCrons do not automatically recover from unconfigured default storage class\n2066712 - [4.10.z] Migration of vm from VMware reports pvc not large enough\n2069055 - [4.10.z] On an upgraded cluster NetworkAddonsConfig seems to be reconciling in a loop\n2070050 - [4.10.1] Custom guest PCI address and boot order parameters are not respected in a list of multiple SR-IOV NICs\n2073880 - Cannot create VM on SNO cluster as live migration feature is not enabled\n2077920 - Migration in sequence can be reported as failed even when it succeeded\n2078878 - SSP: Common templates fix to pick right templates\n\n5. \n\nThis advisory covers the containers for the release. Bugs fixed (https://bugzilla.redhat.com/):\n\n2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor\n2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak\n2066009 - CVE-2021-44906 minimist: prototype pollution\n2067387 - CVE-2022-24771 node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery\n2067458 - CVE-2022-24772 node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery\n2067461 - CVE-2022-24773 node-forge: Signature verification leniency in checking `DigestInfo` structure\n\n5. JIRA issues fixed (https://issues.jboss.org/):\n\nOSSM-1435 - Container release for Maistra 2.1.2.1\n\n6. Description:\n\nRed Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the Apache\nTomcat Servlet container, JBoss HTTP Connector (mod_cluster), the\nPicketLink Vault extension for Apache Tomcat, and the Tomcat Native\nlibrary. This release includes bug fixes,\nenhancements and component upgrades, which are documented in the Release\nNotes, linked to in the References. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. ==========================================================================\nUbuntu Security Notice USN-6457-1\nOctober 30, 2023\n\nnodejs vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 22.04 LTS\n\nSummary:\n\nSeveral security issues were fixed in Node.js. \n\nSoftware Description:\n- nodejs: An open-source, cross-platform JavaScript runtime environment. \n\nDetails:\n\nTavis Ormandy discovered that Node.js incorrectly handled certain inputs. (CVE-2022-0778)\n\nElison Niven discovered that Node.js incorrectly handled certain inputs. If a\nuser or an automated system were tricked into opening a specially crafted\ninput file, a remote attacker could possibly use this issue to execute\narbitrary code. (CVE-2022-1292)\n\nChancen and Daniel Fiala discovered that Node.js incorrectly handled certain\ninputs. If a user or an automated system were tricked into opening a specially\ncrafted input file, a remote attacker could possibly use this issue to execute\narbitrary code. (CVE-2022-2068)\n\nAlex Chernyakhovsky discovered that Node.js incorrectly handled certain\ninputs. If a user or an automated system were tricked into opening a specially\ncrafted input file, a remote attacker could possibly use this issue to execute\narbitrary code. (CVE-2022-2097)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 22.04 LTS:\n libnode-dev 12.22.9~dfsg-1ubuntu3.1\n libnode72 12.22.9~dfsg-1ubuntu3.1\n nodejs 12.22.9~dfsg-1ubuntu3.1\n nodejs-doc 12.22.9~dfsg-1ubuntu3.1\n\nIn general, a standard system update will make all the necessary changes",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-0778"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-001476"
},
{
"db": "VULMON",
"id": "CVE-2022-0778"
},
{
"db": "PACKETSTORM",
"id": "166491"
},
{
"db": "PACKETSTORM",
"id": "166504"
},
{
"db": "PACKETSTORM",
"id": "166497"
},
{
"db": "PACKETSTORM",
"id": "166495"
},
{
"db": "PACKETSTORM",
"id": "167371"
},
{
"db": "PACKETSTORM",
"id": "167379"
},
{
"db": "PACKETSTORM",
"id": "168011"
},
{
"db": "PACKETSTORM",
"id": "167405"
},
{
"db": "PACKETSTORM",
"id": "167226"
},
{
"db": "PACKETSTORM",
"id": "166983"
},
{
"db": "PACKETSTORM",
"id": "167640"
},
{
"db": "PACKETSTORM",
"id": "166926"
},
{
"db": "PACKETSTORM",
"id": "175432"
}
],
"trust": 2.88
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-0778",
"trust": 4.0
},
{
"db": "TENABLE",
"id": "TNS-2022-09",
"trust": 1.0
},
{
"db": "TENABLE",
"id": "TNS-2022-06",
"trust": 1.0
},
{
"db": "TENABLE",
"id": "TNS-2022-07",
"trust": 1.0
},
{
"db": "TENABLE",
"id": "TNS-2022-08",
"trust": 1.0
},
{
"db": "PACKETSTORM",
"id": "167344",
"trust": 1.0
},
{
"db": "SIEMENS",
"id": "SSA-712929",
"trust": 1.0
},
{
"db": "JVN",
"id": "JVNVU91676340",
"trust": 0.8
},
{
"db": "JVN",
"id": "JVNVU96890975",
"trust": 0.8
},
{
"db": "JVN",
"id": "JVNVU91198149",
"trust": 0.8
},
{
"db": "JVN",
"id": "JVNVU99682885",
"trust": 0.8
},
{
"db": "JVN",
"id": "JVNVU98905589",
"trust": 0.8
},
{
"db": "JVN",
"id": "JVNVU90813125",
"trust": 0.8
},
{
"db": "ICS CERT",
"id": "ICSA-24-046-02",
"trust": 0.8
},
{
"db": "ICS CERT",
"id": "ICSA-22-272-02",
"trust": 0.8
},
{
"db": "ICS CERT",
"id": "ICSA-23-143-02",
"trust": 0.8
},
{
"db": "ICS CERT",
"id": "ICSA-23-059-01",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2022-001476",
"trust": 0.8
},
{
"db": "VULMON",
"id": "CVE-2022-0778",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "166491",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "166504",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "166497",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "166495",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "167371",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "167379",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "168011",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "167405",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "167226",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "166983",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "167640",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "166926",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "175432",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-0778"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-001476"
},
{
"db": "PACKETSTORM",
"id": "166491"
},
{
"db": "PACKETSTORM",
"id": "166504"
},
{
"db": "PACKETSTORM",
"id": "166497"
},
{
"db": "PACKETSTORM",
"id": "166495"
},
{
"db": "PACKETSTORM",
"id": "167371"
},
{
"db": "PACKETSTORM",
"id": "167379"
},
{
"db": "PACKETSTORM",
"id": "168011"
},
{
"db": "PACKETSTORM",
"id": "167405"
},
{
"db": "PACKETSTORM",
"id": "167226"
},
{
"db": "PACKETSTORM",
"id": "166983"
},
{
"db": "PACKETSTORM",
"id": "167640"
},
{
"db": "PACKETSTORM",
"id": "166926"
},
{
"db": "PACKETSTORM",
"id": "175432"
},
{
"db": "NVD",
"id": "CVE-2022-0778"
}
]
},
"id": "VAR-202203-0005",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.2376099833333333
},
"last_update_date": "2024-11-12T21:59:15.209000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "hitachi-sec-2022-132 Software product security information",
"trust": 0.8,
"url": "https://www.openssl.org/news/secadv/20220315.txt"
},
{
"title": "Amazon Linux AMI: ALAS-2022-1575",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2022-1575"
},
{
"title": "Debian Security Advisories: DSA-5103-1 openssl -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=4ecbdda56426ff105b6a2939daf5c4e7"
},
{
"title": "Red Hat: Important: openssl security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221077 - Security Advisory"
},
{
"title": "Red Hat: Important: openssl security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221078 - Security Advisory"
},
{
"title": "Red Hat: Important: openssl security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221082 - Security Advisory"
},
{
"title": "Red Hat: Important: openssl security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221073 - Security Advisory"
},
{
"title": "Red Hat: Important: openssl security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221091 - Security Advisory"
},
{
"title": "Red Hat: Important: openssl security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221076 - Security Advisory"
},
{
"title": "Red Hat: Important: openssl security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221071 - Security Advisory"
},
{
"title": "Red Hat: Low: compat-openssl10 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20225326 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Web Server 5.6.2 Security Update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221520 - Security Advisory"
},
{
"title": "Red Hat: Important: openssl security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221112 - Security Advisory"
},
{
"title": "Red Hat: Important: compat-openssl11 security and bug fix update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20224899 - Security Advisory"
},
{
"title": "Red Hat: Important: openssl security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221065 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Web Server 5.6.2 Security Update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221519 - Security Advisory"
},
{
"title": "Red Hat: Important: openssl security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221066 - Security Advisory"
},
{
"title": "Amazon Linux 2: ALAS2-2022-1766",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2-2022-1766"
},
{
"title": "Amazon Linux 2: ALAS2NITRO-ENCLAVES-2022-018",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2NITRO-ENCLAVES-2022-018"
},
{
"title": "Red Hat: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2022-0778"
},
{
"title": "Red Hat: Moderate: OpenShift Container Platform 4.10.10 security and extras update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221357 - Security Advisory"
},
{
"title": "Red Hat: Moderate: OpenShift Container Platform 4.9.29 bug fix and security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221363 - Security Advisory"
},
{
"title": "Red Hat: Moderate: OpenShift Container Platform 4.8.37 security and extras update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221370 - Security Advisory"
},
{
"title": "Red Hat: Moderate: OpenShift Container Platform 4.10.10 bug fix and security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221356 - Security Advisory"
},
{
"title": "Tenable Security Advisories: [R1] Nessus Agent Versions 8.3.3 and 10.1.3 Fix One Third-Party Vulnerability",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories\u0026qid=TNS-2022-07"
},
{
"title": "Tenable Security Advisories: [R1] Nessus Versions 8.15.4 and 10.1.2 Fix One Third-Party Vulnerability",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories\u0026qid=TNS-2022-06"
},
{
"title": "Tenable Security Advisories: [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.19.0 to 5.20.1: Patch 202204.1",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories\u0026qid=TNS-2022-08"
},
{
"title": "Amazon Linux 2022: ALAS2022-2022-041",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2022\u0026qid=ALAS2022-2022-041"
},
{
"title": "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP11 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221390 - Security Advisory"
},
{
"title": "Red Hat: Moderate: OpenShift Virtualization 4.10.1 Images security and bug fix update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20224668 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP11 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221389 - Security Advisory"
},
{
"title": "Hitachi Security Advisories: Vulnerability in Hitachi Configuration Manager and Hitachi Ops Center API Configuration Manager",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories\u0026qid=hitachi-sec-2022-121"
},
{
"title": "Hitachi Security Advisories: Vulnerability in JP1",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories\u0026qid=hitachi-sec-2022-132"
},
{
"title": "Hitachi Security Advisories: Vulnerability in Cosminexus HTTP Server",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories\u0026qid=hitachi-sec-2022-118"
},
{
"title": "Red Hat: Moderate: Red Hat OpenShift Service Mesh 2.1.2.1 containers security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221739 - Security Advisory"
},
{
"title": "Brocade Security Advisories: Access Denied",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=brocade_security_advisories\u0026qid=af28f1c934f899990fae4f8d3f165957"
},
{
"title": "Palo Alto Networks Security Advisory: CVE-2022-0778 Impact of the OpenSSL Infinite Loop Vulnerability CVE-2022-0778",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=palo_alto_networks_security_advisory\u0026qid=aae1a589daaf238d6814b018feedaec7"
},
{
"title": "Red Hat: Important: RHV-H security update (redhat-virtualization-host) 4.3.22",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221263 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat OpenShift GitOps security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20224690 - Security Advisory"
},
{
"title": "Red Hat: Important: RHACS 3.68 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20225132 - Security Advisory"
},
{
"title": "Red Hat: Moderate: Red Hat OpenShift Logging Security and Bug update Release 5.4.1",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20222216 - Security Advisory"
},
{
"title": "Red Hat: Moderate: Openshift Logging Security and Bug update Release (5.2.10)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20222218 - Security Advisory"
},
{
"title": "Red Hat: Moderate: Red Hat OpenShift Logging Security and Bug update Release 5.3.7",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20222217 - Security Advisory"
},
{
"title": "Hitachi Security Advisories: Multiple Vulnerabilities in Hitachi Ops Center Analyzer, Hitachi Ops Center Analyzer viewpoint and Hitachi Ops Center Viewpoint",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories\u0026qid=hitachi-sec-2022-126"
},
{
"title": "Tenable Security Advisories: [R1] Tenable.sc 5.21.0 Fixes Multiple Third-Party Vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories\u0026qid=TNS-2022-09"
},
{
"title": "Palo Alto Networks Security Advisory: CVE-2022-22963 Informational: Impact of Spring Vulnerabilities CVE-2022-22963 and CVE-2010-1622 Bypass",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=palo_alto_networks_security_advisory\u0026qid=bb2470489013d7c39502e755acaa670b"
},
{
"title": "Red Hat: Moderate: OpenShift Container Platform 4.6.57 security and extras update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221622 - Security Advisory"
},
{
"title": "Red Hat: Low: Release of OpenShift Serverless Version 1.22.0",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221747 - Security Advisory"
},
{
"title": "Red Hat: Moderate: Migration Toolkit for Containers (MTC) 1.7.1 security and bug fix update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221734 - Security Advisory"
},
{
"title": "Red Hat: Moderate: Migration Toolkit for Containers (MTC) 1.7.3 security and bug fix update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20225840 - Security Advisory"
},
{
"title": "Hitachi Security Advisories: Multiple Vulnerabilities in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories\u0026qid=hitachi-sec-2023-126"
},
{
"title": "Red Hat: Moderate: Red Hat Advanced Cluster Management 2.4.3 security updates and bug fixes",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221476 - Security Advisory"
},
{
"title": "Red Hat: Moderate: OpenShift Container Platform 4.11.0 extras and security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20225070 - Security Advisory"
},
{
"title": "Apple: macOS Monterey 12.4",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=apple_security_advisories\u0026qid=73857ee26a600b1527481f1deacc0619"
},
{
"title": "Red Hat: Important: Red Hat Advanced Cluster Management 2.5 security updates, images, and bug fixes",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20224956 - Security Advisory"
},
{
"title": "Red Hat: Important: OpenShift Virtualization 4.11.0 Images security and bug fix update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226526 - Security Advisory"
},
{
"title": "Red Hat: Moderate: Migration Toolkit for Containers (MTC) 1.5.4 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20221396 - Security Advisory"
},
{
"title": "Red Hat: Important: Service Telemetry Framework 1.4 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20225924 - Security Advisory"
},
{
"title": "Red Hat: Important: OpenShift Container Platform 4.11.0 bug fix and security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20225069 - Security Advisory"
},
{
"title": "Amazon Linux 2: ALASMARIADB10.5-2023-003",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALASMARIADB10.5-2023-003"
},
{
"title": "Amazon Linux 2022: ALAS2022-2022-182",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2022\u0026qid=ALAS2022-2022-182"
},
{
"title": "CVE-2022-0778",
"trust": 0.1,
"url": "https://github.com/jeongjunsoo/CVE-2022-0778 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2022-0778"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-001476"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-835",
"trust": 1.0
},
{
"problemtype": "infinite loop (CWE-835) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-001476"
},
{
"db": "NVD",
"id": "CVE-2022-0778"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-0778"
},
{
"trust": 1.2,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 1.2,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 1.2,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 1.2,
"url": "https://access.redhat.com/security/cve/cve-2022-0778"
},
{
"trust": 1.0,
"url": "http://packetstormsecurity.com/files/167344/openssl-1.0.2-1.1.1-3.0-bn_mod_sqrt-infinite-loop.html"
},
{
"trust": 1.0,
"url": "http://seclists.org/fulldisclosure/2022/may/33"
},
{
"trust": 1.0,
"url": "http://seclists.org/fulldisclosure/2022/may/35"
},
{
"trust": 1.0,
"url": "http://seclists.org/fulldisclosure/2022/may/38"
},
{
"trust": 1.0,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf"
},
{
"trust": 1.0,
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3ba=commitdiff%3bh=3118eb64934499d93db3230748a452351d1d9a65"
},
{
"trust": 1.0,
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3ba=commitdiff%3bh=380085481c64de749a6dd25cdf0bcf4360b30f83"
},
{
"trust": 1.0,
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3ba=commitdiff%3bh=a466912611aa6cbdf550cd10601390e587451246"
},
{
"trust": 1.0,
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html"
},
{
"trust": 1.0,
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/323snn6zx7prjjwp2buaflpuae42xwlz/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/gdb3gqvjpxje7x5c5jn6jaa4xudwd6e6/"
},
{
"trust": 1.0,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/w6k3pr542dxwleffmfidmme4cwmhjrmg/"
},
{
"trust": 1.0,
"url": "https://psirt.global.sonicwall.com/vuln-detail/snwlid-2022-0002"
},
{
"trust": 1.0,
"url": "https://security.gentoo.org/glsa/202210-02"
},
{
"trust": 1.0,
"url": "https://security.netapp.com/advisory/ntap-20220321-0002/"
},
{
"trust": 1.0,
"url": "https://security.netapp.com/advisory/ntap-20220429-0005/"
},
{
"trust": 1.0,
"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
},
{
"trust": 1.0,
"url": "https://support.apple.com/kb/ht213255"
},
{
"trust": 1.0,
"url": "https://support.apple.com/kb/ht213256"
},
{
"trust": 1.0,
"url": "https://support.apple.com/kb/ht213257"
},
{
"trust": 1.0,
"url": "https://www.debian.org/security/2022/dsa-5103"
},
{
"trust": 1.0,
"url": "https://www.openssl.org/news/secadv/20220315.txt"
},
{
"trust": 1.0,
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"trust": 1.0,
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"trust": 1.0,
"url": "https://www.tenable.com/security/tns-2022-06"
},
{
"trust": 1.0,
"url": "https://www.tenable.com/security/tns-2022-07"
},
{
"trust": 1.0,
"url": "https://www.tenable.com/security/tns-2022-08"
},
{
"trust": 1.0,
"url": "https://www.tenable.com/security/tns-2022-09"
},
{
"trust": 0.9,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu90813125/"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu99682885/index.html"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu98905589/index.html"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu96890975/index.html"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu91676340/"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu91198149/index.html"
},
{
"trust": 0.8,
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-272-02"
},
{
"trust": 0.8,
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-059-01"
},
{
"trust": 0.8,
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-143-02"
},
{
"trust": 0.8,
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-02"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-24769"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-24769"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-24407"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-25236"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-25235"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-25315"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-25235"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-25315"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-25236"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:1065"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:1082"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:1076"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:1077"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhba-2022:1369"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:1370"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:1357"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-37750"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3867"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9805"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3894"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9807"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3899"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30761"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-8743"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2017-14502"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8743"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8823"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2016-10228"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-1000858"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3900"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9894"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33938"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27618"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8782"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-10228"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8771"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9952"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8846"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9915"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-1271"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8783"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-36222"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-8625"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3326"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8813"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9806"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3885"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9802"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-20305"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8764"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-22946"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8769"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8710"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-1000858"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-10018"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9895"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8811"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-8710"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2017-14502"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-15358"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8819"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3862"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-13050"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-25032"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3868"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-29361"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-9169"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3895"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3865"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3518"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33930"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-14391"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3864"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9862"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3541"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33929"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-29362"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8835"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-14889"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8816"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-8927"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3897"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8808"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-13627"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3520"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20454"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8625"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-27218"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-22947"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8766"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11793"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9803"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3521"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9850"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-25013"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3537"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30666"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3517"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-33928"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-30631"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8820"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9893"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-23852"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14889"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-1730"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8844"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-20807"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3516"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3902"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:5924"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8814"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-13434"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8812"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-25013"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8815"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9843"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-20454"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-3901"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-8720"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-25032"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30762"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-13050"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-13627"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-29363"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20807"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9925"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-15503"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-8720"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:4899"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-41190"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-24407"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-41190"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-21698"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-36221"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-36221"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-21698"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:4668"
},
{
"trust": 0.1,
"url": "https://issues.jboss.org/):"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-24773"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/latest/service_mesh/v2x/servicemesh-release-notes.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-24772"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-0235"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-24771"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-0235"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-24771"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-24772"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-44906"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-0536"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:1739"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-0536"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-24773"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-44906"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#low"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:5326"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:1519"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1292"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2068"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-6457-1"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2097"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/nodejs/12.22.9~dfsg-1ubuntu3.1"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-001476"
},
{
"db": "PACKETSTORM",
"id": "166491"
},
{
"db": "PACKETSTORM",
"id": "166504"
},
{
"db": "PACKETSTORM",
"id": "166497"
},
{
"db": "PACKETSTORM",
"id": "166495"
},
{
"db": "PACKETSTORM",
"id": "167371"
},
{
"db": "PACKETSTORM",
"id": "167379"
},
{
"db": "PACKETSTORM",
"id": "168011"
},
{
"db": "PACKETSTORM",
"id": "167405"
},
{
"db": "PACKETSTORM",
"id": "167226"
},
{
"db": "PACKETSTORM",
"id": "166983"
},
{
"db": "PACKETSTORM",
"id": "167640"
},
{
"db": "PACKETSTORM",
"id": "166926"
},
{
"db": "PACKETSTORM",
"id": "175432"
},
{
"db": "NVD",
"id": "CVE-2022-0778"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2022-0778"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-001476"
},
{
"db": "PACKETSTORM",
"id": "166491"
},
{
"db": "PACKETSTORM",
"id": "166504"
},
{
"db": "PACKETSTORM",
"id": "166497"
},
{
"db": "PACKETSTORM",
"id": "166495"
},
{
"db": "PACKETSTORM",
"id": "167371"
},
{
"db": "PACKETSTORM",
"id": "167379"
},
{
"db": "PACKETSTORM",
"id": "168011"
},
{
"db": "PACKETSTORM",
"id": "167405"
},
{
"db": "PACKETSTORM",
"id": "167226"
},
{
"db": "PACKETSTORM",
"id": "166983"
},
{
"db": "PACKETSTORM",
"id": "167640"
},
{
"db": "PACKETSTORM",
"id": "166926"
},
{
"db": "PACKETSTORM",
"id": "175432"
},
{
"db": "NVD",
"id": "CVE-2022-0778"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-03-15T00:00:00",
"db": "VULMON",
"id": "CVE-2022-0778"
},
{
"date": "2022-03-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-001476"
},
{
"date": "2022-03-28T15:52:52",
"db": "PACKETSTORM",
"id": "166491"
},
{
"date": "2022-03-28T15:55:39",
"db": "PACKETSTORM",
"id": "166504"
},
{
"date": "2022-03-28T15:54:40",
"db": "PACKETSTORM",
"id": "166497"
},
{
"date": "2022-03-28T15:54:04",
"db": "PACKETSTORM",
"id": "166495"
},
{
"date": "2022-06-03T15:30:23",
"db": "PACKETSTORM",
"id": "167371"
},
{
"date": "2022-06-03T15:38:06",
"db": "PACKETSTORM",
"id": "167379"
},
{
"date": "2022-08-09T14:36:05",
"db": "PACKETSTORM",
"id": "168011"
},
{
"date": "2022-06-06T14:54:58",
"db": "PACKETSTORM",
"id": "167405"
},
{
"date": "2022-05-19T15:53:21",
"db": "PACKETSTORM",
"id": "167226"
},
{
"date": "2022-05-06T14:51:24",
"db": "PACKETSTORM",
"id": "166983"
},
{
"date": "2022-07-01T14:55:27",
"db": "PACKETSTORM",
"id": "167640"
},
{
"date": "2022-05-03T14:28:07",
"db": "PACKETSTORM",
"id": "166926"
},
{
"date": "2023-10-31T13:11:25",
"db": "PACKETSTORM",
"id": "175432"
},
{
"date": "2022-03-15T17:15:08.513000",
"db": "NVD",
"id": "CVE-2022-0778"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-11-07T00:00:00",
"db": "VULMON",
"id": "CVE-2022-0778"
},
{
"date": "2024-06-20T06:36:00",
"db": "JVNDB",
"id": "JVNDB-2022-001476"
},
{
"date": "2024-06-21T19:15:21.473000",
"db": "NVD",
"id": "CVE-2022-0778"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "168011"
},
{
"db": "PACKETSTORM",
"id": "175432"
}
],
"trust": 0.2
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenSSL\u00a0 of \u00a0BN_mod_sqrt()\u00a0 Problem that causes an infinite loop when the law in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-001476"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "arbitrary",
"sources": [
{
"db": "PACKETSTORM",
"id": "175432"
}
],
"trust": 0.1
}
}
var-202004-1137
Vulnerability from variot
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). (CVE-2020-2754, CVE-2020-2755). ========================================================================== Ubuntu Security Notice USN-4337-1 April 22, 2020
openjdk-8, openjdk-lts vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in OpenJDK.
Software Description: - openjdk-8: Open Source Java implementation - openjdk-lts: Open Source Java implementation
Details:
It was discovered that OpenJDK incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service while processing a specially crafted regular expression. (CVE-2020-2754, CVE-2020-2755)
It was discovered that OpenJDK incorrectly handled class descriptors and catching exceptions during object stream deserialization. An attacker could possibly use this issue to cause a denial of service while processing a specially crafted serialized input. (CVE-2020-2756, CVE-2020-2757)
Bengt Jonsson, Juraj Somorovsky, Kostis Sagonas, Paul Fiterau Brostean and Robert Merget discovered that OpenJDK incorrectly handled certificate messages during TLS handshake. An attacker could possibly use this issue to bypass certificate verification and insert, edit or obtain sensitive information. This issue only affected OpenJDK 11. (CVE-2020-2767)
It was discovered that OpenJDK incorrectly handled exceptions thrown by unmarshalKeyInfo() and unmarshalXMLSignature(). An attacker could possibly use this issue to cause a denial of service while reading key info or XML signature data from XML input. (CVE-2020-2773)
Peter Dettman discovered that OpenJDK incorrectly handled SSLParameters in setAlgorithmConstraints(). An attacker could possibly use this issue to override the defined systems security policy and lead to the use of weak crypto algorithms that should be disabled. This issue only affected OpenJDK 11. (CVE-2020-2778)
Simone Bordet discovered that OpenJDK incorrectly re-used single null TLS sessions for new TLS connections. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2020-2781)
Dan Amodio discovered that OpenJDK did not restrict the use of CR and LF characters in values for HTTP headers. An attacker could possibly use this issue to insert, edit or obtain sensitive information. (CVE-2020-2800)
Nils Emmerich discovered that OpenJDK incorrectly checked boundaries or argument types. An attacker could possibly use this issue to bypass sandbox restrictions causing unspecified impact. (CVE-2020-2803, CVE-2020-2805)
It was discovered that OpenJDK incorrectly handled application data packets during TLS handshake. An attacker could possibly use this issue to insert, edit or obtain sensitive information. This issue only affected OpenJDK 11. (CVE-2020-2816)
It was discovered that OpenJDK incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service. (CVE-2020-2830)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 19.10: openjdk-11-jdk 11.0.7+10-2ubuntu2~19.10 openjdk-11-jre 11.0.7+10-2ubuntu2~19.10 openjdk-11-jre-headless 11.0.7+10-2ubuntu2~19.10 openjdk-11-jre-zero 11.0.7+10-2ubuntu2~19.10 openjdk-8-jdk 8u252-b09-1~19.10 openjdk-8-jre 8u252-b09-1~19.10 openjdk-8-jre-headless 8u252-b09-1~19.10 openjdk-8-jre-zero 8u252-b09-1~19.10
Ubuntu 18.04 LTS: openjdk-11-jdk 11.0.7+10-2ubuntu2~18.04 openjdk-11-jre 11.0.7+10-2ubuntu2~18.04 openjdk-11-jre-headless 11.0.7+10-2ubuntu2~18.04 openjdk-11-jre-zero 11.0.7+10-2ubuntu2~18.04 openjdk-8-jdk 8u252-b09-1~18.04 openjdk-8-jre 8u252-b09-1~18.04 openjdk-8-jre-headless 8u252-b09-1~18.04 openjdk-8-jre-zero 8u252-b09-1~18.04
Ubuntu 16.04 LTS: openjdk-8-jdk 8u252-b09-1~16.04 openjdk-8-jre 8u252-b09-1~16.04 openjdk-8-jre-headless 8u252-b09-1~16.04 openjdk-8-jre-jamvm 8u252-b09-1~16.04 openjdk-8-jre-zero 8u252-b09-1~16.04
This update uses a new upstream release, which includes additional bug fixes. 8.0) - aarch64, noarch, ppc64le, s390x, x86_64
-
8.0) - aarch64, ppc64le, s390x, x86_64
-
Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Security Fix(es):
- operator-framework/presto: /etc/passwd was given incorrect privileges (CVE-2019-19352)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution:
For OpenShift Container Platform 4.4 see the following documentation, which will be updated shortly for release 4.4.3, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel ease-notes.html
Details on how to access this content are available at https://docs.openshift.com/container-platform/4.4/updating/updating-cluster - -cli.html. Bugs fixed (https://bugzilla.redhat.com/):
1793281 - CVE-2019-19352 operator-framework/presto: /etc/passwd is given incorrect privileges
-
7) - x86_64
-
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Important: java-1.8.0-openjdk security update Advisory ID: RHSA-2020:1512-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:1512 Issue date: 2020-04-21 CVE Names: CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2773 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2830 =====================================================================
- Summary:
An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64
- Description:
The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.
Security Fix(es):
-
OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)
-
OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)
-
OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773)
-
OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)
-
OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)
-
OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)
-
OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)
-
OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755)
-
OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)
-
OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of OpenJDK Java must be restarted for this update to take effect.
- Bugs fixed (https://bugzilla.redhat.com/):
1823199 - CVE-2020-2754 OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) 1823200 - CVE-2020-2755 OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) 1823215 - CVE-2020-2756 OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) 1823216 - CVE-2020-2757 OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) 1823224 - CVE-2020-2773 OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415) 1823527 - CVE-2020-2800 OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) 1823542 - CVE-2020-2830 OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) 1823694 - CVE-2020-2803 OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) 1823844 - CVE-2020-2805 OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) 1823960 - CVE-2020-2781 OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)
- Package List:
Red Hat Enterprise Linux Client (v. 7):
Source: java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.src.rpm
x86_64: java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch: java-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.el7_8.noarch.rpm java-1.8.0-openjdk-javadoc-zip-1.8.0.252.b09-2.el7_8.noarch.rpm
x86_64: java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.src.rpm
x86_64: java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch: java-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.el7_8.noarch.rpm java-1.8.0-openjdk-javadoc-zip-1.8.0.252.b09-2.el7_8.noarch.rpm
x86_64: java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.src.rpm
ppc64: java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.ppc64.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.ppc64.rpm java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.ppc64.rpm java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.ppc64.rpm
ppc64le: java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.ppc64le.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.ppc64le.rpm java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.ppc64le.rpm java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.ppc64le.rpm
s390x: java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.s390x.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.s390x.rpm java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.s390x.rpm java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.s390x.rpm
x86_64: java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
noarch: java-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.el7_8.noarch.rpm java-1.8.0-openjdk-javadoc-zip-1.8.0.252.b09-2.el7_8.noarch.rpm
ppc64: java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.ppc64.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.ppc64.rpm java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.ppc64.rpm java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.ppc64.rpm
ppc64le: java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.ppc64le.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.ppc64le.rpm java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.ppc64le.rpm java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.ppc64le.rpm
s390x: java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.s390x.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.s390x.rpm java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.s390x.rpm java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.s390x.rpm
x86_64: java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.src.rpm
x86_64: java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch: java-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.el7_8.noarch.rpm java-1.8.0-openjdk-javadoc-zip-1.8.0.252.b09-2.el7_8.noarch.rpm
x86_64: java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.x86_64.rpm java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.i686.rpm java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2020-2754 https://access.redhat.com/security/cve/CVE-2020-2755 https://access.redhat.com/security/cve/CVE-2020-2756 https://access.redhat.com/security/cve/CVE-2020-2757 https://access.redhat.com/security/cve/CVE-2020-2773 https://access.redhat.com/security/cve/CVE-2020-2781 https://access.redhat.com/security/cve/CVE-2020-2800 https://access.redhat.com/security/cve/CVE-2020-2803 https://access.redhat.com/security/cve/CVE-2020-2805 https://access.redhat.com/security/cve/CVE-2020-2830 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXp7Zs9zjgjWX9erEAQijNg//Wv9fjFvkxHC42Hd5YcN8qnGcf6gdOYDW pAv6Tv6q9pstko1bcUZYa0V01XejJYe/5uAADu3QGe1aMihI0VMjXrlFULW1laNS QTRtsnzTac5Gm3cJZKDXIv1ITI+fgGBWOvwN9lketAQtO5su+JbPTPQ4S0rBy55D gAVa8RVPi6qQt85HmXDrrpaAI2N8EFVkJBpC9ZRRFtI5wTv//bVx29Qw/sthlN3N qXwO8KZI44Xbe+vb6QpGcNkly+Dh7CdeVFV1OVkqx8eOVA8Cj45NAeBgP1W8n2VQ zt0GiKCbrV49e2AsBgmK49/J3N2L9xalsHSn54+6N02rcjf4dseV5flz5/unSIDc gPqFCTRbGZcIdjFbilvsklGBVfBzXjw5SjUemMKYggXa+6L74O+kuH4TRZRXhmEX 70Kvn1w0ta8P1bxK0A6BM6ZnDo5f7jVIQipk2M/hw6SDzu7ZA5zbDRCg419AZ8qc syuuHWmdfpRRj0XlUw5eBfBUq8UL+huEfRvu85zBhvhTw/Pyu+T0nQ7iofSyqvob 2LlLyPV14RBOzGIWLqrt2tGBUYanKULxIdT+VtSu4gyuloGc84onSLTqU0Ucbc85 nxpY6nc9GxOYWCMDITnr4xiRXQuUuE5V4UVwsFlr+xsEYcsAXdPLzyXzw8S8sL+Z yPjQbJvoqgE= =5P5C -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Debian Security Advisory DSA-4662-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 24, 2020 https://www.debian.org/security/faq
Package : openjdk-11 CVE ID : CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2767 CVE-2020-2773 CVE-2020-2778 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2816 CVE-2020-2830
Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, insecure TLS handshakes, bypass of sandbox restrictions or HTTP response splitting attacks.
For the stable distribution (buster), these problems have been fixed in version 11.0.7+10-3~deb10u1.
We recommend that you upgrade your openjdk-11 packages.
For the detailed security status of openjdk-11 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openjdk-11
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIyBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl6i4QkACgkQEMKTtsN8 TjYOlg/3ZpduOWklosp1sS0za11zUYZHlql01d75lk2HS/u5sEVUNPyVcZ2iC8Bk zVBfqdJmfoODThzMVws1f9BhTvdaigPd+6stG3eVcU7kHS3IEpSAglKRK9220jDQ Euz2CXHV2trngO9C6oEg6OOB2wguKyeFT7VlMazyznmesIUr+BnmTpm/t97QOAhj +OyeXm3YdI7B8idZUNnUS42SKei+vaj1b/Dwi7Bv5YZUgIDAy8J6lRxUYi3EA/MT Lux7auJiMw9cIx5xqiIIW+3JmLrxXZQdvxWRsZtl5ATNwMf/PDjroWGj1eIRIa66 70dJ4FoY/yHdc4wnadBJKhWUgZbGDpVyclzRx8DBlqYxmJx0BVu10he1j8fMJnp1 72A/gHVtcHDuCLpskgYiJeUqkPq/nMEt85Q2NpnW61sGFJedGIQeAMGKLPsLCmz4 U8L2CaTvtnBFNN82P50rDCuFwKChOJ5OqKuZCBwX6hhJQqgPsSGE7wdUep0UFbm0 9qyEZ+Ph7v42+JcnP3O/Ow9i2Q+rkHcCu//jp+TaeyjZEaIurAAlMz9YN8Tp665n lXe0nmWPkY+oCDoEglH5GaLkft0lEOT8idGp3ccBhHsQGhyJAq2z0b9OBTUgidjY 99udJWsH8naHMBZL5aHmByQ/73mL/MB+oMRv15ypVrnL2B3KVQ== =/qDT -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202004-1137",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "openjdk",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "e-series santricity web services",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "openjdk",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "11.0.6"
},
{
"model": "openjdk",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "11"
},
{
"model": "jdk",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.0.6"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "16.04"
},
{
"model": "jdk",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "1.7.0"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "32"
},
{
"model": "leap",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "15.2"
},
{
"model": "active iq unified manager",
"scope": "gte",
"trust": 1.0,
"vendor": "netapp",
"version": "7.3"
},
{
"model": "openjdk",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "13"
},
{
"model": "storagegrid",
"scope": "gte",
"trust": 1.0,
"vendor": "netapp",
"version": "9.0.0"
},
{
"model": "jre",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.0.6"
},
{
"model": "e-series santricity os controller",
"scope": "gte",
"trust": 1.0,
"vendor": "netapp",
"version": "11.0.0"
},
{
"model": "leap",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "15.1"
},
{
"model": "jre",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "1.7.0"
},
{
"model": "threat intelligence exchange server",
"scope": "lt",
"trust": 1.0,
"vendor": "mcafee",
"version": "2.3.1"
},
{
"model": "e-series performance analyzer",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "steelstore cloud integrated storage",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "openjdk",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "13.0.2"
},
{
"model": "plug-in for symantec netbackup",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "e-series santricity os controller",
"scope": "lte",
"trust": 1.0,
"vendor": "netapp",
"version": "11.60.1"
},
{
"model": "threat intelligence exchange server",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "3.0.0"
},
{
"model": "openjdk",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14"
},
{
"model": "snapmanager",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "19.10"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "30"
},
{
"model": "jdk",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.0.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "18.04"
},
{
"model": "active iq unified manager",
"scope": "gte",
"trust": 1.0,
"vendor": "netapp",
"version": "9.5"
},
{
"model": "santricity unified manager",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "31"
},
{
"model": "storagegrid",
"scope": "lte",
"trust": 1.0,
"vendor": "netapp",
"version": "9.0.4"
},
{
"model": "oncommand workflow automation",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "8.0"
},
{
"model": "threat intelligence exchange server",
"scope": "gte",
"trust": 1.0,
"vendor": "mcafee",
"version": "2.0.0"
},
{
"model": "threat intelligence exchange server",
"scope": "eq",
"trust": 1.0,
"vendor": "mcafee",
"version": "2.3.1"
},
{
"model": "jre",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.0.0"
},
{
"model": "jdk",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "1.8.0"
},
{
"model": "7-mode transition tool",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "cloud backup",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "oncommand insight",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "openjdk",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "7"
},
{
"model": "storagegrid",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "jre",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "1.8.0"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-2830"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:oracle:jre:1.7.0:update_251:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:jre:1.8.0:update_241:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:jdk:14.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:jre:14.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:jdk:11.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:jre:11.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.8.0:update241:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:jdk:1.7.0:update251:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update102:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update112:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update152:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update162:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update172:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update192:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update20:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update202:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update212:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update40:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update60:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update66:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update72:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update92:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update241:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update80:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update85:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update241:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update65:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update71:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update73:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update74:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update77:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update91:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update101:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update111:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update121:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update131:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update141:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update151:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update161:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update171:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update181:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update191:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update201:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update211:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update45:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update51:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update25:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update31:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update11:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update221:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:8:update231:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "11.0.6",
"versionStartIncluding": "11",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update251:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update231:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update221:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update211:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update201:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update191:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update101:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update111:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update121:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update131:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update141:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update151:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update161:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update171:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update181:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update10:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update11:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update13:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update15:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update17:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update21:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update25:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update40:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update45:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update51:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update55:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update6:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update60:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update65:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update67:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update7:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update72:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update76:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update9:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update91:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update95:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update97:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:7:update99:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "13.0.2",
"versionStartIncluding": "13",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:storagegrid:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "9.0.4",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*",
"cpe_name": [],
"versionStartIncluding": "7.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vsphere:*:*",
"cpe_name": [],
"versionStartIncluding": "9.5",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "11.60.1",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:plug-in_for_symantec_netbackup:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:santricity_unified_manager:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:netapp:snapmanager:-:-:*:*:*:oracle:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:3.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.3.1",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.3.1:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.3.1:hotfix1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mcafee:threat_intelligence_exchange_server:2.3.1:hotfix2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-2830"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "157350"
},
{
"db": "PACKETSTORM",
"id": "157351"
},
{
"db": "PACKETSTORM",
"id": "157349"
},
{
"db": "PACKETSTORM",
"id": "157550"
},
{
"db": "PACKETSTORM",
"id": "157549"
},
{
"db": "PACKETSTORM",
"id": "157777"
},
{
"db": "PACKETSTORM",
"id": "157319"
},
{
"db": "PACKETSTORM",
"id": "157778"
}
],
"trust": 0.8
},
"cve": "CVE-2020-2830",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "CVE-2020-2830",
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.1,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"id": "CVE-2020-2830",
"impactScore": 1.4,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2020-2830",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2020-2830",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-2830"
},
{
"db": "NVD",
"id": "CVE-2020-2830"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). \n(CVE-2020-2754, CVE-2020-2755). ==========================================================================\nUbuntu Security Notice USN-4337-1\nApril 22, 2020\n\nopenjdk-8, openjdk-lts vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 19.10\n- Ubuntu 18.04 LTS\n- Ubuntu 16.04 LTS\n\nSummary:\n\nSeveral security issues were fixed in OpenJDK. \n\nSoftware Description:\n- openjdk-8: Open Source Java implementation\n- openjdk-lts: Open Source Java implementation\n\nDetails:\n\nIt was discovered that OpenJDK incorrectly handled certain regular\nexpressions. An attacker could possibly use this issue to cause a denial of\nservice while processing a specially crafted regular expression. \n(CVE-2020-2754, CVE-2020-2755)\n\nIt was discovered that OpenJDK incorrectly handled class descriptors and\ncatching exceptions during object stream deserialization. An attacker could\npossibly use this issue to cause a denial of service while processing a\nspecially crafted serialized input. (CVE-2020-2756, CVE-2020-2757)\n\nBengt Jonsson, Juraj Somorovsky, Kostis Sagonas, Paul Fiterau Brostean and\nRobert Merget discovered that OpenJDK incorrectly handled certificate messages\nduring TLS handshake. An attacker could possibly use this issue to bypass\ncertificate verification and insert, edit or obtain sensitive information. This\nissue only affected OpenJDK 11. (CVE-2020-2767)\n\nIt was discovered that OpenJDK incorrectly handled exceptions thrown by\nunmarshalKeyInfo() and unmarshalXMLSignature(). An attacker could possibly use\nthis issue to cause a denial of service while reading key info or XML signature\ndata from XML input. (CVE-2020-2773)\n\nPeter Dettman discovered that OpenJDK incorrectly handled SSLParameters in\nsetAlgorithmConstraints(). An attacker could possibly use this issue to\noverride the defined systems security policy and lead to the use of weak\ncrypto algorithms that should be disabled. This issue only affected\nOpenJDK 11. (CVE-2020-2778)\n\nSimone Bordet discovered that OpenJDK incorrectly re-used single null TLS\nsessions for new TLS connections. A remote attacker could possibly use this\nissue to cause a denial of service. (CVE-2020-2781)\n\nDan Amodio discovered that OpenJDK did not restrict the use of CR and LF\ncharacters in values for HTTP headers. An attacker could possibly use this\nissue to insert, edit or obtain sensitive information. (CVE-2020-2800)\n\nNils Emmerich discovered that OpenJDK incorrectly checked boundaries or\nargument types. An attacker could possibly use this issue to bypass sandbox\nrestrictions causing unspecified impact. (CVE-2020-2803, CVE-2020-2805)\n\nIt was discovered that OpenJDK incorrectly handled application data packets\nduring TLS handshake. An attacker could possibly use this issue to insert,\nedit or obtain sensitive information. This issue only affected OpenJDK 11. \n(CVE-2020-2816)\n\nIt was discovered that OpenJDK incorrectly handled certain regular\nexpressions. An attacker could possibly use this issue to cause a denial of\nservice. (CVE-2020-2830)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 19.10:\n openjdk-11-jdk 11.0.7+10-2ubuntu2~19.10\n openjdk-11-jre 11.0.7+10-2ubuntu2~19.10\n openjdk-11-jre-headless 11.0.7+10-2ubuntu2~19.10\n openjdk-11-jre-zero 11.0.7+10-2ubuntu2~19.10\n openjdk-8-jdk 8u252-b09-1~19.10\n openjdk-8-jre 8u252-b09-1~19.10\n openjdk-8-jre-headless 8u252-b09-1~19.10\n openjdk-8-jre-zero 8u252-b09-1~19.10\n\nUbuntu 18.04 LTS:\n openjdk-11-jdk 11.0.7+10-2ubuntu2~18.04\n openjdk-11-jre 11.0.7+10-2ubuntu2~18.04\n openjdk-11-jre-headless 11.0.7+10-2ubuntu2~18.04\n openjdk-11-jre-zero 11.0.7+10-2ubuntu2~18.04\n openjdk-8-jdk 8u252-b09-1~18.04\n openjdk-8-jre 8u252-b09-1~18.04\n openjdk-8-jre-headless 8u252-b09-1~18.04\n openjdk-8-jre-zero 8u252-b09-1~18.04\n\nUbuntu 16.04 LTS:\n openjdk-8-jdk 8u252-b09-1~16.04\n openjdk-8-jre 8u252-b09-1~16.04\n openjdk-8-jre-headless 8u252-b09-1~16.04\n openjdk-8-jre-jamvm 8u252-b09-1~16.04\n openjdk-8-jre-zero 8u252-b09-1~16.04\n\nThis update uses a new upstream release, which includes additional bug\nfixes. 8.0) - aarch64, noarch, ppc64le, s390x, x86_64\n\n3. 8.0) - aarch64, ppc64le, s390x, x86_64\n\n3. Description:\n\nRed Hat OpenShift Container Platform is Red Hat\u0027s cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments. \n\nSecurity Fix(es):\n\n* operator-framework/presto: /etc/passwd was given incorrect privileges\n(CVE-2019-19352)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. Solution:\n\nFor OpenShift Container Platform 4.4 see the following documentation, which\nwill be updated shortly for release 4.4.3, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata\nupdate:\n\nhttps://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel\nease-notes.html\n\nDetails on how to access this content are available at\nhttps://docs.openshift.com/container-platform/4.4/updating/updating-cluster\n- -cli.html. Bugs fixed (https://bugzilla.redhat.com/):\n\n1793281 - CVE-2019-19352 operator-framework/presto: /etc/passwd is given incorrect privileges\n\n5. 7) - x86_64\n\n3. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Important: java-1.8.0-openjdk security update\nAdvisory ID: RHSA-2020:1512-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2020:1512\nIssue date: 2020-04-21\nCVE Names: CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 \n CVE-2020-2757 CVE-2020-2773 CVE-2020-2781 \n CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 \n CVE-2020-2830 \n=====================================================================\n\n1. Summary:\n\nAn update for java-1.8.0-openjdk is now available for Red Hat Enterprise\nLinux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - x86_64\nRed Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64\nRed Hat Enterprise Linux ComputeNode (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64\nRed Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 7) - x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64\n\n3. Description:\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit. \n\nSecurity Fix(es):\n\n* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)\n(CVE-2020-2803)\n\n* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries,\n8235274) (CVE-2020-2805)\n\n* OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and\nDOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773)\n\n* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)\n(CVE-2020-2781)\n\n* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP\nServer, 8234825) (CVE-2020-2800)\n\n* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)\n(CVE-2020-2830)\n\n* OpenJDK: Misplaced regular expression syntax error check in RegExpScanner\n(Scripting, 8223898) (CVE-2020-2754)\n\n* OpenJDK: Incorrect handling of empty string nodes in regular expression\nParser (Scripting, 8223904) (CVE-2020-2755)\n\n* OpenJDK: Incorrect handling of references to uninitialized class\ndescriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)\n\n* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass\n(Serialization, 8224549) (CVE-2020-2757)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAll running instances of OpenJDK Java must be restarted for this update to\ntake effect. \n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1823199 - CVE-2020-2754 OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898)\n1823200 - CVE-2020-2755 OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904)\n1823215 - CVE-2020-2756 OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541)\n1823216 - CVE-2020-2757 OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549)\n1823224 - CVE-2020-2773 OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415)\n1823527 - CVE-2020-2800 OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825)\n1823542 - CVE-2020-2830 OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)\n1823694 - CVE-2020-2803 OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)\n1823844 - CVE-2020-2805 OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274)\n1823960 - CVE-2020-2781 OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)\n\n6. Package List:\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\njava-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.src.rpm\n\nx86_64:\njava-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.x86_64.rpm\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nnoarch:\njava-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.el7_8.noarch.rpm\njava-1.8.0-openjdk-javadoc-zip-1.8.0.252.b09-2.el7_8.noarch.rpm\n\nx86_64:\njava-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\njava-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.src.rpm\n\nx86_64:\njava-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nnoarch:\njava-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.el7_8.noarch.rpm\njava-1.8.0-openjdk-javadoc-zip-1.8.0.252.b09-2.el7_8.noarch.rpm\n\nx86_64:\njava-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\njava-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.src.rpm\n\nppc64:\njava-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.ppc64.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.ppc64.rpm\njava-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.ppc64.rpm\njava-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.ppc64.rpm\n\nppc64le:\njava-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.ppc64le.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.ppc64le.rpm\njava-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.ppc64le.rpm\njava-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.ppc64le.rpm\n\ns390x:\njava-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.s390x.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.s390x.rpm\njava-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.s390x.rpm\njava-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.s390x.rpm\n\nx86_64:\njava-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\nnoarch:\njava-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.el7_8.noarch.rpm\njava-1.8.0-openjdk-javadoc-zip-1.8.0.252.b09-2.el7_8.noarch.rpm\n\nppc64:\njava-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.ppc64.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.ppc64.rpm\njava-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.ppc64.rpm\njava-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.ppc64.rpm\n\nppc64le:\njava-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.ppc64le.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.ppc64le.rpm\njava-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.ppc64le.rpm\njava-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.ppc64le.rpm\n\ns390x:\njava-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.s390x.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.s390x.rpm\njava-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.s390x.rpm\njava-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.s390x.rpm\n\nx86_64:\njava-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\njava-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.src.rpm\n\nx86_64:\njava-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nnoarch:\njava-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.el7_8.noarch.rpm\njava-1.8.0-openjdk-javadoc-zip-1.8.0.252.b09-2.el7_8.noarch.rpm\n\nx86_64:\njava-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.x86_64.rpm\njava-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.i686.rpm\njava-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2020-2754\nhttps://access.redhat.com/security/cve/CVE-2020-2755\nhttps://access.redhat.com/security/cve/CVE-2020-2756\nhttps://access.redhat.com/security/cve/CVE-2020-2757\nhttps://access.redhat.com/security/cve/CVE-2020-2773\nhttps://access.redhat.com/security/cve/CVE-2020-2781\nhttps://access.redhat.com/security/cve/CVE-2020-2800\nhttps://access.redhat.com/security/cve/CVE-2020-2803\nhttps://access.redhat.com/security/cve/CVE-2020-2805\nhttps://access.redhat.com/security/cve/CVE-2020-2830\nhttps://access.redhat.com/security/updates/classification/#important\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2020 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXp7Zs9zjgjWX9erEAQijNg//Wv9fjFvkxHC42Hd5YcN8qnGcf6gdOYDW\npAv6Tv6q9pstko1bcUZYa0V01XejJYe/5uAADu3QGe1aMihI0VMjXrlFULW1laNS\nQTRtsnzTac5Gm3cJZKDXIv1ITI+fgGBWOvwN9lketAQtO5su+JbPTPQ4S0rBy55D\ngAVa8RVPi6qQt85HmXDrrpaAI2N8EFVkJBpC9ZRRFtI5wTv//bVx29Qw/sthlN3N\nqXwO8KZI44Xbe+vb6QpGcNkly+Dh7CdeVFV1OVkqx8eOVA8Cj45NAeBgP1W8n2VQ\nzt0GiKCbrV49e2AsBgmK49/J3N2L9xalsHSn54+6N02rcjf4dseV5flz5/unSIDc\ngPqFCTRbGZcIdjFbilvsklGBVfBzXjw5SjUemMKYggXa+6L74O+kuH4TRZRXhmEX\n70Kvn1w0ta8P1bxK0A6BM6ZnDo5f7jVIQipk2M/hw6SDzu7ZA5zbDRCg419AZ8qc\nsyuuHWmdfpRRj0XlUw5eBfBUq8UL+huEfRvu85zBhvhTw/Pyu+T0nQ7iofSyqvob\n2LlLyPV14RBOzGIWLqrt2tGBUYanKULxIdT+VtSu4gyuloGc84onSLTqU0Ucbc85\nnxpY6nc9GxOYWCMDITnr4xiRXQuUuE5V4UVwsFlr+xsEYcsAXdPLzyXzw8S8sL+Z\nyPjQbJvoqgE=\n=5P5C\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4662-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nApril 24, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openjdk-11\nCVE ID : CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 \n CVE-2020-2767 CVE-2020-2773 CVE-2020-2778 CVE-2020-2781 \n CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2816 \n CVE-2020-2830\n\nSeveral vulnerabilities have been discovered in the OpenJDK Java\nruntime, resulting in denial of service, insecure TLS handshakes, bypass\nof sandbox restrictions or HTTP response splitting attacks. \n\nFor the stable distribution (buster), these problems have been fixed in\nversion 11.0.7+10-3~deb10u1. \n\nWe recommend that you upgrade your openjdk-11 packages. \n\nFor the detailed security status of openjdk-11 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openjdk-11\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIyBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl6i4QkACgkQEMKTtsN8\nTjYOlg/3ZpduOWklosp1sS0za11zUYZHlql01d75lk2HS/u5sEVUNPyVcZ2iC8Bk\nzVBfqdJmfoODThzMVws1f9BhTvdaigPd+6stG3eVcU7kHS3IEpSAglKRK9220jDQ\nEuz2CXHV2trngO9C6oEg6OOB2wguKyeFT7VlMazyznmesIUr+BnmTpm/t97QOAhj\n+OyeXm3YdI7B8idZUNnUS42SKei+vaj1b/Dwi7Bv5YZUgIDAy8J6lRxUYi3EA/MT\nLux7auJiMw9cIx5xqiIIW+3JmLrxXZQdvxWRsZtl5ATNwMf/PDjroWGj1eIRIa66\n70dJ4FoY/yHdc4wnadBJKhWUgZbGDpVyclzRx8DBlqYxmJx0BVu10he1j8fMJnp1\n72A/gHVtcHDuCLpskgYiJeUqkPq/nMEt85Q2NpnW61sGFJedGIQeAMGKLPsLCmz4\nU8L2CaTvtnBFNN82P50rDCuFwKChOJ5OqKuZCBwX6hhJQqgPsSGE7wdUep0UFbm0\n9qyEZ+Ph7v42+JcnP3O/Ow9i2Q+rkHcCu//jp+TaeyjZEaIurAAlMz9YN8Tp665n\nlXe0nmWPkY+oCDoEglH5GaLkft0lEOT8idGp3ccBhHsQGhyJAq2z0b9OBTUgidjY\n99udJWsH8naHMBZL5aHmByQ/73mL/MB+oMRv15ypVrnL2B3KVQ==\n=/qDT\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-2830"
},
{
"db": "VULMON",
"id": "CVE-2020-2830"
},
{
"db": "PACKETSTORM",
"id": "157363"
},
{
"db": "PACKETSTORM",
"id": "157350"
},
{
"db": "PACKETSTORM",
"id": "157351"
},
{
"db": "PACKETSTORM",
"id": "157349"
},
{
"db": "PACKETSTORM",
"id": "157550"
},
{
"db": "PACKETSTORM",
"id": "157549"
},
{
"db": "PACKETSTORM",
"id": "157777"
},
{
"db": "PACKETSTORM",
"id": "157319"
},
{
"db": "PACKETSTORM",
"id": "157778"
},
{
"db": "PACKETSTORM",
"id": "168805"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-2830",
"trust": 2.1
},
{
"db": "MCAFEE",
"id": "SB10318",
"trust": 1.1
},
{
"db": "VULMON",
"id": "CVE-2020-2830",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "157363",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "157350",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "157351",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "157349",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "157550",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "157549",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "157777",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "157319",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "157778",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "168805",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-2830"
},
{
"db": "PACKETSTORM",
"id": "157363"
},
{
"db": "PACKETSTORM",
"id": "157350"
},
{
"db": "PACKETSTORM",
"id": "157351"
},
{
"db": "PACKETSTORM",
"id": "157349"
},
{
"db": "PACKETSTORM",
"id": "157550"
},
{
"db": "PACKETSTORM",
"id": "157549"
},
{
"db": "PACKETSTORM",
"id": "157777"
},
{
"db": "PACKETSTORM",
"id": "157319"
},
{
"db": "PACKETSTORM",
"id": "157778"
},
{
"db": "PACKETSTORM",
"id": "168805"
},
{
"db": "NVD",
"id": "CVE-2020-2830"
}
]
},
"id": "VAR-202004-1137",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.27142859
},
"last_update_date": "2023-11-07T21:49:03.694000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Red Hat: Important: java-1.7.0-openjdk security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201508 - security advisory"
},
{
"title": "Red Hat: Important: java-1.7.1-ibm security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20202238 - security advisory"
},
{
"title": "Red Hat: Important: java-1.8.0-openjdk security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201515 - security advisory"
},
{
"title": "Red Hat: Important: java-1.7.1-ibm security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20202236 - security advisory"
},
{
"title": "Red Hat: Important: java-1.7.0-openjdk security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201507 - security advisory"
},
{
"title": "Red Hat: Important: java-1.8.0-ibm security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20202239 - security advisory"
},
{
"title": "Red Hat: Important: java-1.8.0-openjdk security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201512 - security advisory"
},
{
"title": "Red Hat: Important: java-1.8.0-openjdk security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201516 - security advisory"
},
{
"title": "Red Hat: Important: java-1.8.0-openjdk security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201506 - security advisory"
},
{
"title": "Red Hat: Important: java-1.8.0-ibm security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20202241 - security advisory"
},
{
"title": "Red Hat: Important: java-1.8.0-ibm security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20202237 - security advisory"
},
{
"title": "Red Hat: Important: java-11-openjdk security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201514 - security advisory"
},
{
"title": "Red Hat: Important: java-11-openjdk security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201517 - security advisory"
},
{
"title": "Red Hat: Important: java-11-openjdk security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201509 - security advisory"
},
{
"title": "Red Hat: Moderate: OpenShift Container Platform 4.4.3 hadoop-container security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201938 - security advisory"
},
{
"title": "Red Hat: Moderate: OpenShift Container Platform 4.4.3 presto-container security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20201942 - security advisory"
},
{
"title": "Ubuntu Security Notice: openjdk-8, openjdk-lts vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=usn-4337-1"
},
{
"title": "Amazon Linux AMI: ALAS-2020-1365",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=alas-2020-1365"
},
{
"title": "Amazon Linux AMI: ALAS-2023-1809",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=alas-2023-1809"
},
{
"title": "Amazon Linux 2: ALAS2-2020-1424",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=alas2-2020-1424"
},
{
"title": "Amazon Linux 2: ALAS2-2020-1421",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=alas2-2020-1421"
},
{
"title": "Debian Security Advisories: DSA-4662-1 openjdk-11 -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=fcc7953c1496c4d2bf29bdda0aeb34d3"
},
{
"title": "Amazon Linux 2: ALAS2-2020-1410",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=alas2-2020-1410"
},
{
"title": "Hitachi Security Advisories: Multiple Vulnerabilities in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories\u0026qid=hitachi-sec-2020-111"
},
{
"title": "Hitachi Security Advisories: Multiple Vulnerabilities in Cosminexus",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories\u0026qid=hitachi-sec-2020-108"
},
{
"title": "IBM: Security Bulletin: Multiple vulnerabilities in OpenJDK version 11 affect IBM InfoSphere Information Server",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=04093f22959e96a7bb3ed8715aa18c0e"
},
{
"title": "IBM: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=2ec7385c474071281be069b54d841de6"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-2830"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-noinfo",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-2830"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.2,
"url": "https://usn.ubuntu.com/4337-1/"
},
{
"trust": 1.1,
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"trust": 1.1,
"url": "https://security.netapp.com/advisory/ntap-20200416-0004/"
},
{
"trust": 1.1,
"url": "https://www.debian.org/security/2020/dsa-4662"
},
{
"trust": 1.1,
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html"
},
{
"trust": 1.1,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/l7vhc4ew36kzeidq56rpcwbzcqelffkn/"
},
{
"trust": 1.1,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ckav6kffaeanxan73aftgu7z6ynrwcxq/"
},
{
"trust": 1.1,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/nyhhhzrhxcbgrhge5up7ueb4iz2qx536/"
},
{
"trust": 1.1,
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html"
},
{
"trust": 1.1,
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html"
},
{
"trust": 1.1,
"url": "https://security.gentoo.org/glsa/202006-22"
},
{
"trust": 1.1,
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html"
},
{
"trust": 1.1,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10318"
},
{
"trust": 1.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2830"
},
{
"trust": 1.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2781"
},
{
"trust": 1.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2800"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2754"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2757"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2805"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2756"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2803"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2773"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2020-2757"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2020-2805"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.8,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2755"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2020-2830"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2020-2800"
},
{
"trust": 0.8,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2020-2756"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2020-2781"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2020-2803"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2020-2754"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2020-2755"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2020-2773"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2778"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2767"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2816"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.2,
"url": "https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel"
},
{
"trust": 0.2,
"url": "https://docs.openshift.com/container-platform/4.4/updating/updating-cluster"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2654"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-2654"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:1508"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.7+10-2ubuntu2~18.04"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openjdk-8/8u252-b09-1~19.10"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openjdk-8/8u252-b09-1~16.04"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/4337-1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.7+10-2ubuntu2~19.10"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/openjdk-8/8u252-b09-1~18.04"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:1516"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:1515"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-2767"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-2816"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-2778"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:1517"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-19354"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:1938"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-19354"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:1942"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-19352"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-19352"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:2238"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:1512"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-2949"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-2949"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:2237"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/openjdk-11"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-2830"
},
{
"db": "PACKETSTORM",
"id": "157363"
},
{
"db": "PACKETSTORM",
"id": "157350"
},
{
"db": "PACKETSTORM",
"id": "157351"
},
{
"db": "PACKETSTORM",
"id": "157349"
},
{
"db": "PACKETSTORM",
"id": "157550"
},
{
"db": "PACKETSTORM",
"id": "157549"
},
{
"db": "PACKETSTORM",
"id": "157777"
},
{
"db": "PACKETSTORM",
"id": "157319"
},
{
"db": "PACKETSTORM",
"id": "157778"
},
{
"db": "PACKETSTORM",
"id": "168805"
},
{
"db": "NVD",
"id": "CVE-2020-2830"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2020-2830"
},
{
"db": "PACKETSTORM",
"id": "157363"
},
{
"db": "PACKETSTORM",
"id": "157350"
},
{
"db": "PACKETSTORM",
"id": "157351"
},
{
"db": "PACKETSTORM",
"id": "157349"
},
{
"db": "PACKETSTORM",
"id": "157550"
},
{
"db": "PACKETSTORM",
"id": "157549"
},
{
"db": "PACKETSTORM",
"id": "157777"
},
{
"db": "PACKETSTORM",
"id": "157319"
},
{
"db": "PACKETSTORM",
"id": "157778"
},
{
"db": "PACKETSTORM",
"id": "168805"
},
{
"db": "NVD",
"id": "CVE-2020-2830"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-15T00:00:00",
"db": "VULMON",
"id": "CVE-2020-2830"
},
{
"date": "2020-04-23T19:25:55",
"db": "PACKETSTORM",
"id": "157363"
},
{
"date": "2020-04-22T15:11:05",
"db": "PACKETSTORM",
"id": "157350"
},
{
"date": "2020-04-22T15:11:12",
"db": "PACKETSTORM",
"id": "157351"
},
{
"date": "2020-04-22T15:10:56",
"db": "PACKETSTORM",
"id": "157349"
},
{
"date": "2020-05-04T17:29:03",
"db": "PACKETSTORM",
"id": "157550"
},
{
"date": "2020-05-04T17:28:54",
"db": "PACKETSTORM",
"id": "157549"
},
{
"date": "2020-05-20T15:59:55",
"db": "PACKETSTORM",
"id": "157777"
},
{
"date": "2020-04-21T14:17:02",
"db": "PACKETSTORM",
"id": "157319"
},
{
"date": "2020-05-20T16:01:07",
"db": "PACKETSTORM",
"id": "157778"
},
{
"date": "2020-04-28T19:12:00",
"db": "PACKETSTORM",
"id": "168805"
},
{
"date": "2020-04-15T14:15:00",
"db": "NVD",
"id": "CVE-2020-2830"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-06-30T00:00:00",
"db": "VULMON",
"id": "CVE-2020-2830"
},
{
"date": "2022-06-30T20:07:00",
"db": "NVD",
"id": "CVE-2020-2830"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ubuntu Security Notice USN-4337-1",
"sources": [
{
"db": "PACKETSTORM",
"id": "157363"
}
],
"trust": 0.1
}
}
var-201902-0192
Vulnerability from variot
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). OpenSSL Contains an information disclosure vulnerability.Information may be obtained. The product supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, secure hash algorithms, etc. A vulnerability in OpenSSL could allow an unauthenticated, remote malicious user to access sensitive information on a targeted system. An attacker who is able to perform man-in-the-middle attacks could exploit the vulnerability by persuading a user to access a link that submits malicious input to the affected software. A successful exploit could allow the malicious user to intercept and modify the browser requests and then observe the server behavior in order to conduct a padding oracle attack and decrypt sensitive information.
This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt. It was reported to OpenSSL on 10th December 2018.
Note: Advisory updated to make it clearer that AEAD ciphersuites are not impacted.
Note
OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th September 2019. Users of these versions should upgrade to OpenSSL 1.1.1.
References
URL for this Security Advisory: https://www.openssl.org/news/secadv/20190226.txt
Note: the online version of the advisory may be updated with additional details over time.
For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html . The appliance is available to download as an OVA file from the Customer Portal.
For the stable distribution (stretch), this problem has been fixed in version 1.0.2r-1~deb9u1.
For the detailed security status of openssl1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl1.0
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlx4WgkACgkQEMKTtsN8 TjZZCQ//UdQ3Bi/ZSQJ2yzW7MkbuaHla53iUhztTy2Zrype++NX4tXqqBl+xY9Eu 1D747Y1c2GZ949UaPbIvp8wLCvvxR5A4Tmx4sU3ZOOHXrlsZ5loYg66MslGUOMOU z7zaqXTg3as8wfD6ND5Zd4tP0iLyst8Vyi0W7PuFovLoPAc3/XcMaXghSwabs+JY 3KZuB4UlbOiEnO+6Mf5ghWQYBtN7y/QAVNWREfLmhpx2UY8F7Ia28bR9pXknxkl5 RuN9WH2BtXI4/JiL0TlkAua51NE+vXciPv+Dh4gkQNPWF/rfL9IL5AxjrgojysHf OhZaDcYpOPCXZmiA49JOXJOrIw73Zd9NZmgA1ZXQY1ECQDJ8dB9mSJj1KsUId+Id eTbRRbWwpzSQd5qc4h4NKjeIwA04a3JecDibD3pwf3+qn9sw8xQ/rfAl2byGRbEN FUDT65AIw4CFQDJeIE/vBZqCFhY2aIbRoibpZnp0XsROkw8xKQiH0Kgo7gjsoozT wHYK/rlvaZwbnLG7E8pUUj9Xr8OM9Wn/y7kzyHVekGUcDef3F1pPJ9CYsdppx+Zv MkoFNxc9GZ+Kn2i4l14I3hvwQ4Sy3owNjnTYFQ28yd+MRZoMw+nyXW1i7OCu+KFH 7OQkd5qNDh8iotsaUKT0DQOOL74UDgEPv2x02ahujRl+I3YDDdM=NRWo -----END PGP SIGNATURE----- . ========================================================================== Ubuntu Security Notice USN-4376-2 July 09, 2020
openssl vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 ESM
- Ubuntu 12.04 ESM
Summary:
Several security issues were fixed in OpenSSL. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.
Original advisory details:
Cesar Pereida Garc\xeda, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL incorrectly handled ECDSA signatures. An attacker could possibly use this issue to perform a timing side-channel attack and recover private ECDSA keys. A remote attacker could possibly use this issue to decrypt data. (CVE-2019-1559)
Bernd Edlinger discovered that OpenSSL incorrectly handled certain decryption functions. (CVE-2019-1563)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 14.04 ESM: libssl1.0.0 1.0.1f-1ubuntu2.27+esm1
Ubuntu 12.04 ESM: libssl1.0.0 1.0.1-4ubuntu5.44
After a standard system update you need to reboot your computer to make all the necessary changes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201903-10
https://security.gentoo.org/
Severity: Normal Title: OpenSSL: Multiple vulnerabilities Date: March 14, 2019 Bugs: #673056, #678564 ID: 201903-10
Synopsis
Multiple Information Disclosure vulnerabilities in OpenSSL allow attackers to obtain sensitive information.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/openssl < 1.0.2r >= 1.0.2r
Description
Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers referenced below for details.
Impact
A remote attacker to obtain sensitive information, caused by the failure to immediately close the TCP connection after the hosts encounter a zero-length record with valid padding.
A local attacker could run a malicious process next to legitimate processes using the architectureas parallel thread running capabilities to leak encrypted data from the CPU's internal processes.
Workaround
There is no known workaround at this time.
Resolution
All OpenSSL users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2r"
References
[ 1 ] CVE-2018-5407 https://nvd.nist.gov/vuln/detail/CVE-2018-5407 [ 2 ] CVE-2019-1559 https://nvd.nist.gov/vuln/detail/CVE-2019-1559
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/201903-10
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5 . 6) - i386, x86_64
- Description:
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: openssl security and bug fix update Advisory ID: RHSA-2019:2304-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:2304 Issue date: 2019-08-06 CVE Names: CVE-2018-0734 CVE-2019-1559 ==================================================================== 1. Summary:
An update for openssl is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
- Description:
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.
Security Fix(es):
-
openssl: 0-byte record padding oracle (CVE-2019-1559)
-
openssl: timing side channel attack in the DSA signature algorithm (CVE-2018-0734)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
- Bugs fixed (https://bugzilla.redhat.com/):
1644364 - CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm 1649568 - openssl: microarchitectural and timing side channel padding oracle attack against RSA 1683804 - CVE-2019-1559 openssl: 0-byte record padding oracle
- Package List:
Red Hat Enterprise Linux Client (v. 7):
Source: openssl-1.0.2k-19.el7.src.rpm
x86_64: openssl-1.0.2k-19.el7.x86_64.rpm openssl-debuginfo-1.0.2k-19.el7.i686.rpm openssl-debuginfo-1.0.2k-19.el7.x86_64.rpm openssl-libs-1.0.2k-19.el7.i686.rpm openssl-libs-1.0.2k-19.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64: openssl-debuginfo-1.0.2k-19.el7.i686.rpm openssl-debuginfo-1.0.2k-19.el7.x86_64.rpm openssl-devel-1.0.2k-19.el7.i686.rpm openssl-devel-1.0.2k-19.el7.x86_64.rpm openssl-perl-1.0.2k-19.el7.x86_64.rpm openssl-static-1.0.2k-19.el7.i686.rpm openssl-static-1.0.2k-19.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: openssl-1.0.2k-19.el7.src.rpm
x86_64: openssl-1.0.2k-19.el7.x86_64.rpm openssl-debuginfo-1.0.2k-19.el7.i686.rpm openssl-debuginfo-1.0.2k-19.el7.x86_64.rpm openssl-libs-1.0.2k-19.el7.i686.rpm openssl-libs-1.0.2k-19.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64: openssl-debuginfo-1.0.2k-19.el7.i686.rpm openssl-debuginfo-1.0.2k-19.el7.x86_64.rpm openssl-devel-1.0.2k-19.el7.i686.rpm openssl-devel-1.0.2k-19.el7.x86_64.rpm openssl-perl-1.0.2k-19.el7.x86_64.rpm openssl-static-1.0.2k-19.el7.i686.rpm openssl-static-1.0.2k-19.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: openssl-1.0.2k-19.el7.src.rpm
ppc64: openssl-1.0.2k-19.el7.ppc64.rpm openssl-debuginfo-1.0.2k-19.el7.ppc.rpm openssl-debuginfo-1.0.2k-19.el7.ppc64.rpm openssl-devel-1.0.2k-19.el7.ppc.rpm openssl-devel-1.0.2k-19.el7.ppc64.rpm openssl-libs-1.0.2k-19.el7.ppc.rpm openssl-libs-1.0.2k-19.el7.ppc64.rpm
ppc64le: openssl-1.0.2k-19.el7.ppc64le.rpm openssl-debuginfo-1.0.2k-19.el7.ppc64le.rpm openssl-devel-1.0.2k-19.el7.ppc64le.rpm openssl-libs-1.0.2k-19.el7.ppc64le.rpm
s390x: openssl-1.0.2k-19.el7.s390x.rpm openssl-debuginfo-1.0.2k-19.el7.s390.rpm openssl-debuginfo-1.0.2k-19.el7.s390x.rpm openssl-devel-1.0.2k-19.el7.s390.rpm openssl-devel-1.0.2k-19.el7.s390x.rpm openssl-libs-1.0.2k-19.el7.s390.rpm openssl-libs-1.0.2k-19.el7.s390x.rpm
x86_64: openssl-1.0.2k-19.el7.x86_64.rpm openssl-debuginfo-1.0.2k-19.el7.i686.rpm openssl-debuginfo-1.0.2k-19.el7.x86_64.rpm openssl-devel-1.0.2k-19.el7.i686.rpm openssl-devel-1.0.2k-19.el7.x86_64.rpm openssl-libs-1.0.2k-19.el7.i686.rpm openssl-libs-1.0.2k-19.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64: openssl-debuginfo-1.0.2k-19.el7.ppc.rpm openssl-debuginfo-1.0.2k-19.el7.ppc64.rpm openssl-perl-1.0.2k-19.el7.ppc64.rpm openssl-static-1.0.2k-19.el7.ppc.rpm openssl-static-1.0.2k-19.el7.ppc64.rpm
ppc64le: openssl-debuginfo-1.0.2k-19.el7.ppc64le.rpm openssl-perl-1.0.2k-19.el7.ppc64le.rpm openssl-static-1.0.2k-19.el7.ppc64le.rpm
s390x: openssl-debuginfo-1.0.2k-19.el7.s390.rpm openssl-debuginfo-1.0.2k-19.el7.s390x.rpm openssl-perl-1.0.2k-19.el7.s390x.rpm openssl-static-1.0.2k-19.el7.s390.rpm openssl-static-1.0.2k-19.el7.s390x.rpm
x86_64: openssl-debuginfo-1.0.2k-19.el7.i686.rpm openssl-debuginfo-1.0.2k-19.el7.x86_64.rpm openssl-perl-1.0.2k-19.el7.x86_64.rpm openssl-static-1.0.2k-19.el7.i686.rpm openssl-static-1.0.2k-19.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: openssl-1.0.2k-19.el7.src.rpm
x86_64: openssl-1.0.2k-19.el7.x86_64.rpm openssl-debuginfo-1.0.2k-19.el7.i686.rpm openssl-debuginfo-1.0.2k-19.el7.x86_64.rpm openssl-devel-1.0.2k-19.el7.i686.rpm openssl-devel-1.0.2k-19.el7.x86_64.rpm openssl-libs-1.0.2k-19.el7.i686.rpm openssl-libs-1.0.2k-19.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64: openssl-debuginfo-1.0.2k-19.el7.i686.rpm openssl-debuginfo-1.0.2k-19.el7.x86_64.rpm openssl-perl-1.0.2k-19.el7.x86_64.rpm openssl-static-1.0.2k-19.el7.i686.rpm openssl-static-1.0.2k-19.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2018-0734 https://access.redhat.com/security/cve/CVE-2019-1559 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.7_release_notes/index
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXUl3otzjgjWX9erEAQgZQQ//XNcjRJGLVmjAzbVGiwxEqfFUvDVNiu97 fW0vLXuV9TnQTveOVqOAWmmMv2iShkVIRPDvzlOfUsYrrDEYHKr0N38R/fhDEZsM WQrJh54WK9IjEGNevLTCePKMhVuII1WnHrLDwZ6hxYGdcap/sJrf+N428b5LvHbM B39vWl3vqJYXoiI5dmIYL8ko2SfLms5Cg+dR0hLrNohf9gK2La+jhWb/j2xw6X6q /LXw5+hi/G+USbnNFfjt9G0fNjMMZRX2bukUvY6UWJRYTOXpIUOFqqp5w9zgM7tZ uX7TMTC9xe6te4mBCAFDdt+kYYLYSHfSkFlFq+S7V0MY8DmnIzqBJE4lJIDTVp9F JbrMIPs9G5jdnzPUKZw/gH9WLgka8Q8AYI+KA2xSxFX9VZ20Z+EDDC9/4uwj3i0A gLeIB68OwD70jn4sjuQqizr7TCviQhTUoKVd/mTBAxSEFZLcE8Sy/BEYxLPm81z0 veL16l6pmfg9uLac4V576ImfYNWlBEnJspA5E9K5CqQRPuZpCQFov7/D17Qm8v/x IcVKUaXiGquBwzHmIsD5lTCpl7CrGoU1PfNJ6Y/4xrVFOh1DLA4y6nnfysyO9eZx zBfuYS2VmfIq/tp1CjagI/DmJC4ezXeE4Phq9jm0EBASXtnLzVmc5j7kkqWjCcfm BtpJTAdr1kE=7kKR -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks.
The following packages have been upgraded to a later upstream version: imgbased (1.1.9), ovirt-node-ng (4.3.5), redhat-release-virtualization-host (4.3.5), redhat-virtualization-host (4.3.5). Bugs fixed (https://bugzilla.redhat.com/):
1640820 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions
1658366 - CVE-2018-16881 rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled
1683804 - CVE-2019-1559 openssl: 0-byte record padding oracle
1687920 - RHVH fails to reinstall if required size is exceeding the available disk space due to anaconda bug
1694065 - CVE-2019-0161 edk2: stack overflow in XHCI causing denial of service
1702223 - Rebase RHV-H on RHEL 7.7
1709829 - CVE-2019-10139 cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment
1718388 - CVE-2019-10160 python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc
1720156 - RHVH 4.3.4 version info is incorrect in plymouth and "/etc/os-release"
1720160 - RHVH 4.3.4: Incorrect info in /etc/system-release-cpe
1720310 - RHV-H post-installation scripts failing, due to existing tags
1720434 - RHVH 7.7 brand is wrong in Anaconda GUI.
1720435 - Failed to install RHVH 7.7
1720436 - RHVH 7.7 should based on RHEL 7.7 server but not workstation.
1724044 - Failed dependencies occur during install systemtap package.
1726534 - dhclient fails to load libdns-export.so.1102 after upgrade if the user installed library is not persisted on the new layer
1727007 - Update RHVH 7.7 branding with new Red Hat logo
1727859 - Failed to boot after upgrading a host with a custom kernel
1728998 - "nodectl info" displays error after RHVH installation
1729023 - The error message is inappropriate when run imgbase layout --init on current layout
Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/openssl-1.0.2r-i586-1_slack14.2.txz: Upgraded. Go into the error state if a fatal alert is sent or received. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559 ( Security fix ) patches/packages/openssl-solibs-1.0.2r-i586-1_slack14.2.txz: Upgraded. +--------------------------+
Where to find the new packages: +-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you.
Updated packages for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssl-1.0.2r-i586-1_slack14.2.txz ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssl-solibs-1.0.2r-i586-1_slack14.2.txz
Updated packages for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssl-1.0.2r-x86_64-1_slack14.2.txz ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssl-solibs-1.0.2r-x86_64-1_slack14.2.txz
MD5 signatures: +-------------+
Slackware 14.2 packages: b23a71963648d515630497f203eefab8 openssl-1.0.2r-i586-1_slack14.2.txz 8b04a9be9b78052791f02428be44a639 openssl-solibs-1.0.2r-i586-1_slack14.2.txz
Slackware x86_64 14.2 packages: c183c2ad507a65020f13c0dc154c0b11 openssl-1.0.2r-x86_64-1_slack14.2.txz d656915855edd6365636ac558b8180cb openssl-solibs-1.0.2r-x86_64-1_slack14.2.txz
Installation instructions: +------------------------+
Upgrade the packages as root:
upgradepkg openssl-1.0.2r-i586-1_slack14.2.txz openssl-solibs-1.0.2r-i586-1_slack14.2.txz
+-----+
Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com
+------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201902-0192",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "big-ip global traffic manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.2"
},
{
"model": "communications session border controller",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.0"
},
{
"model": "big-ip domain name system",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.0.0"
},
{
"model": "big-ip webaccelerator",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "big-ip edge gateway",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.2"
},
{
"model": "a320",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "enterprise linux server",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"model": "big-ip local traffic manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.2"
},
{
"model": "big-ip webaccelerator",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.0.0"
},
{
"model": "jd edwards world security",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "a9.4"
},
{
"model": "big-ip fraud protection service",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "communications diameter signaling router",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2"
},
{
"model": "service processor",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-ip policy enforcement manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.0.0"
},
{
"model": "big-ip access policy manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.2"
},
{
"model": "big-ip domain name system",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.3"
},
{
"model": "communications diameter signaling router",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.0"
},
{
"model": "big-ip advanced firewall manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.2"
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "6.0.0"
},
{
"model": "big-ip access policy manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.0"
},
{
"model": "big-ip application security manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.0.0"
},
{
"model": "node.js",
"scope": "lt",
"trust": 1.0,
"vendor": "nodejs",
"version": "6.17.0"
},
{
"model": "snapprotect",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "data exchange layer",
"scope": "lt",
"trust": 1.0,
"vendor": "mcafee",
"version": "6.0.0"
},
{
"model": "big-ip application acceleration manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "big-ip analytics",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.3"
},
{
"model": "node.js",
"scope": "lt",
"trust": 1.0,
"vendor": "nodejs",
"version": "8.15.1"
},
{
"model": "communications diameter signaling router",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.1"
},
{
"model": "clustered data ontap antivirus connector",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-ip analytics",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.0.0"
},
{
"model": "big-ip global traffic manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "big-ip link controller",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.2"
},
{
"model": "big-ip webaccelerator",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.0.0"
},
{
"model": "big-ip application security manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.5"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "18.04"
},
{
"model": "big-ip edge gateway",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "big-ip global traffic manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.0.0"
},
{
"model": "leap",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "15.0"
},
{
"model": "communications session router",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2"
},
{
"model": "big-ip local traffic manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "fas2720",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "mysql",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "5.7.0"
},
{
"model": "big-ip fraud protection service",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.0"
},
{
"model": "big-ip advanced firewall manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.0.0"
},
{
"model": "big-ip access policy manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "big-ip application acceleration manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.0"
},
{
"model": "big-ip advanced firewall manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "communications diameter signaling router",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.4"
},
{
"model": "enterprise manager base platform",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.1.0.5.0"
},
{
"model": "enterprise manager base platform",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "13.3.0.0.0"
},
{
"model": "nessus",
"scope": "lte",
"trust": 1.0,
"vendor": "tenable",
"version": "8.2.3"
},
{
"model": "oncommand unified manager core package",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-ip application security manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.0.0"
},
{
"model": "big-ip analytics",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.0.0"
},
{
"model": "enterprise linux server",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.0"
},
{
"model": "big-ip domain name system",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.5"
},
{
"model": "communications session router",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.1"
},
{
"model": "mysql enterprise monitor",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.14"
},
{
"model": "big-ip global traffic manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.0.0"
},
{
"model": "big-ip local traffic manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.0"
},
{
"model": "data exchange layer",
"scope": "gte",
"trust": 1.0,
"vendor": "mcafee",
"version": "4.0.0"
},
{
"model": "peoplesoft enterprise peopletools",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.56"
},
{
"model": "big-ip webaccelerator",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.3"
},
{
"model": "big-ip link controller",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "peoplesoft enterprise peopletools",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.57"
},
{
"model": "enterprise manager ops center",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.4.0"
},
{
"model": "traffix signaling delivery controller",
"scope": "eq",
"trust": 1.0,
"vendor": "f5",
"version": "4.4.0"
},
{
"model": "big-ip analytics",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.5"
},
{
"model": "big-ip edge gateway",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.0"
},
{
"model": "big-ip advanced firewall manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.0"
},
{
"model": "big-ip link controller",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.0.0"
},
{
"model": "big-ip fraud protection service",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.3"
},
{
"model": "jboss enterprise web server",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "5.0.0"
},
{
"model": "big-ip application acceleration manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.5"
},
{
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"model": "oncommand insight",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "communications unified session manager",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2.5"
},
{
"model": "mysql enterprise monitor",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.0"
},
{
"model": "solidfire",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-ip global traffic manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.5"
},
{
"model": "a800",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-ip global traffic manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.0.0"
},
{
"model": "mysql",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "5.7.25"
},
{
"model": "smi-s provider",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "30"
},
{
"model": "virtualization host",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "4.0"
},
{
"model": "openssl",
"scope": "gte",
"trust": 1.0,
"vendor": "openssl",
"version": "1.0.2"
},
{
"model": "big-ip domain name system",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.0"
},
{
"model": "big-ip local traffic manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.5"
},
{
"model": "snapdrive",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-ip application acceleration manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.3"
},
{
"model": "mysql workbench",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.16"
},
{
"model": "openssl",
"scope": "lt",
"trust": 1.0,
"vendor": "openssl",
"version": "1.0.2r"
},
{
"model": "altavault",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "threat intelligence exchange server",
"scope": "gte",
"trust": 1.0,
"vendor": "mcafee",
"version": "2.0.0"
},
{
"model": "big-ip global traffic manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.3"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "16.04"
},
{
"model": "big-ip link controller",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.0.0"
},
{
"model": "big-ip policy enforcement manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.0"
},
{
"model": "mysql",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.15"
},
{
"model": "pan-os",
"scope": "gte",
"trust": 1.0,
"vendor": "paloaltonetworks",
"version": "9.0.0"
},
{
"model": "pan-os",
"scope": "lt",
"trust": 1.0,
"vendor": "paloaltonetworks",
"version": "8.0.20"
},
{
"model": "communications session border controller",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.3"
},
{
"model": "big-ip edge gateway",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.3"
},
{
"model": "big-ip application security manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.0.0"
},
{
"model": "ontap select deploy",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-ip local traffic manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.3"
},
{
"model": "agent",
"scope": "gte",
"trust": 1.0,
"vendor": "mcafee",
"version": "5.6.0"
},
{
"model": "big-ip policy enforcement manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.2"
},
{
"model": "big-iq centralized management",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "7.0.0"
},
{
"model": "api gateway",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.1.2.4.0"
},
{
"model": "pan-os",
"scope": "lt",
"trust": 1.0,
"vendor": "paloaltonetworks",
"version": "9.0.2"
},
{
"model": "big-ip access policy manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.3"
},
{
"model": "big-ip webaccelerator",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.5"
},
{
"model": "fas2750",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "8.9.0"
},
{
"model": "big-ip advanced firewall manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.3"
},
{
"model": "active iq unified manager",
"scope": "gte",
"trust": 1.0,
"vendor": "netapp",
"version": "9.5"
},
{
"model": "big-ip webaccelerator",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.0.0"
},
{
"model": "communications diameter signaling router",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.3"
},
{
"model": "big-ip link controller",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.5"
},
{
"model": "big-ip access policy manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.0.0"
},
{
"model": "big-ip fraud protection service",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.5"
},
{
"model": "big-ip link controller",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.0.0"
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "8.0.0"
},
{
"model": "big-ip application security manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.2"
},
{
"model": "web gateway",
"scope": "gte",
"trust": 1.0,
"vendor": "mcafee",
"version": "7.0.0"
},
{
"model": "node.js",
"scope": "lte",
"trust": 1.0,
"vendor": "nodejs",
"version": "8.8.1"
},
{
"model": "active iq unified manager",
"scope": "gte",
"trust": 1.0,
"vendor": "netapp",
"version": "7.3"
},
{
"model": "enterprise linux desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.0"
},
{
"model": "snapcenter",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-ip link controller",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.3"
},
{
"model": "big-iq centralized management",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "6.1.0"
},
{
"model": "business intelligence",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.1.1.9.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "8.0"
},
{
"model": "secure global desktop",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "5.4"
},
{
"model": "cloud backup",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-ip analytics",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.0.0"
},
{
"model": "big-ip policy enforcement manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "big-ip webaccelerator",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.0"
},
{
"model": "oncommand workflow automation",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-ip fraud protection service",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.0.0"
},
{
"model": "steelstore cloud integrated storage",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "mysql enterprise monitor",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "4.0.8"
},
{
"model": "peoplesoft enterprise peopletools",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.55"
},
{
"model": "storagegrid",
"scope": "gte",
"trust": 1.0,
"vendor": "netapp",
"version": "9.0.0"
},
{
"model": "big-ip access policy manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.0.0"
},
{
"model": "leap",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "42.3"
},
{
"model": "c190",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-ip domain name system",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.2"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "31"
},
{
"model": "big-ip application acceleration manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.0.0"
},
{
"model": "big-ip edge gateway",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.5"
},
{
"model": "communications session border controller",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.1.0"
},
{
"model": "communications session router",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.3"
},
{
"model": "enterprise linux workstation",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"model": "node.js",
"scope": "gte",
"trust": 1.0,
"vendor": "nodejs",
"version": "6.9.0"
},
{
"model": "oncommand unified manager",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "services tools bundle",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "19.2"
},
{
"model": "pan-os",
"scope": "gte",
"trust": 1.0,
"vendor": "paloaltonetworks",
"version": "7.1.0"
},
{
"model": "a220",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "business intelligence",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.3.0"
},
{
"model": "communications session border controller",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "7.4"
},
{
"model": "big-ip access policy manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.5"
},
{
"model": "big-ip application security manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "communications performance intelligence center",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "10.4.0.2"
},
{
"model": "big-ip analytics",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.2"
},
{
"model": "big-ip advanced firewall manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.5"
},
{
"model": "pan-os",
"scope": "lt",
"trust": 1.0,
"vendor": "paloaltonetworks",
"version": "7.1.15"
},
{
"model": "big-ip local traffic manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.0.0"
},
{
"model": "mysql",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "5.6.43"
},
{
"model": "big-ip analytics",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.0"
},
{
"model": "pan-os",
"scope": "lt",
"trust": 1.0,
"vendor": "paloaltonetworks",
"version": "8.1.8"
},
{
"model": "big-ip fraud protection service",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.0.0"
},
{
"model": "hci compute node",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "9.0"
},
{
"model": "big-iq centralized management",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "7.1.0"
},
{
"model": "hyper converged infrastructure",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-ip edge gateway",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.0.0"
},
{
"model": "big-ip advanced firewall manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.0.0"
},
{
"model": "big-ip global traffic manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.0"
},
{
"model": "big-ip application acceleration manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.0.0"
},
{
"model": "communications session border controller",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2"
},
{
"model": "jd edwards world security",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "a9.3"
},
{
"model": "storage automation store",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "virtualization",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "4.0"
},
{
"model": "big-ip domain name system",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "threat intelligence exchange server",
"scope": "lt",
"trust": 1.0,
"vendor": "mcafee",
"version": "3.0.0"
},
{
"model": "enterprise manager base platform",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "13.2.0.0.0"
},
{
"model": "storagegrid",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-ip domain name system",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.0.0"
},
{
"model": "big-ip fraud protection service",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.0.0"
},
{
"model": "communications session router",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0"
},
{
"model": "big-ip local traffic manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.0.0"
},
{
"model": "big-ip policy enforcement manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.5"
},
{
"model": "traffix signaling delivery controller",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "5.1.0"
},
{
"model": "big-ip application security manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.0"
},
{
"model": "communications unified session manager",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "7.3.5"
},
{
"model": "active iq unified manager",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-ip application acceleration manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.0.0"
},
{
"model": "big-ip analytics",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "15.1.0"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "29"
},
{
"model": "big-ip edge gateway",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.0.0"
},
{
"model": "big-ip advanced firewall manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.0.0"
},
{
"model": "big-ip policy enforcement manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "14.0.0"
},
{
"model": "traffix signaling delivery controller",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "5.0.0"
},
{
"model": "cn1610",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-ip webaccelerator",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.2"
},
{
"model": "enterprise linux workstation",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.0"
},
{
"model": "communications session router",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "7.4"
},
{
"model": "pan-os",
"scope": "gte",
"trust": 1.0,
"vendor": "paloaltonetworks",
"version": "8.1.0"
},
{
"model": "node.js",
"scope": "lte",
"trust": 1.0,
"vendor": "nodejs",
"version": "6.8.1"
},
{
"model": "big-ip policy enforcement manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.3"
},
{
"model": "santricity smi-s provider",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-ip fraud protection service",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.2"
},
{
"model": "big-ip link controller",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "12.1.0"
},
{
"model": "hci management node",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-ip local traffic manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.0.0"
},
{
"model": "agent",
"scope": "lte",
"trust": 1.0,
"vendor": "mcafee",
"version": "5.6.4"
},
{
"model": "business intelligence",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.4.0"
},
{
"model": "endeca server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "7.7.0"
},
{
"model": "mysql",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.0"
},
{
"model": "big-ip domain name system",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.0.0"
},
{
"model": "ontap select deploy administration utility",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-ip edge gateway",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.0.0"
},
{
"model": "element software",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "big-iq centralized management",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "6.0.0"
},
{
"model": "web gateway",
"scope": "lt",
"trust": 1.0,
"vendor": "mcafee",
"version": "9.0.0"
},
{
"model": "jd edwards world security",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "a9.3.1"
},
{
"model": "jd edwards enterpriseone tools",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "9.2"
},
{
"model": "big-ip application security manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "13.1.3"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "18.10"
},
{
"model": "big-ip policy enforcement manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "15.0.0"
},
{
"model": "big-ip application acceleration manager",
"scope": "lte",
"trust": 1.0,
"vendor": "f5",
"version": "14.1.2"
},
{
"model": "enterprise manager ops center",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.3.3"
},
{
"model": "mysql",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "5.6.0"
},
{
"model": "storagegrid",
"scope": "lte",
"trust": 1.0,
"vendor": "netapp",
"version": "9.0.4"
},
{
"model": "big-ip access policy manager",
"scope": "gte",
"trust": 1.0,
"vendor": "f5",
"version": "13.0.0"
},
{
"model": "leap",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "15.1"
},
{
"model": "pan-os",
"scope": "gte",
"trust": 1.0,
"vendor": "paloaltonetworks",
"version": "8.0.0"
},
{
"model": "jp1/snmp system observer",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "steelstore cloud integrated storage",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "oncommand workflow automation",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "jp1/operations analytics",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "job management system partern 1/automatic job management system 3",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "storagegrid webscale",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "nessus",
"scope": null,
"trust": 0.8,
"vendor": "tenable",
"version": null
},
{
"model": "ucosminexus service architect",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "leap",
"scope": null,
"trust": 0.8,
"vendor": "opensuse",
"version": null
},
{
"model": "jp1/automatic job management system 3",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "traffix sdc",
"scope": null,
"trust": 0.8,
"vendor": "f5",
"version": null
},
{
"model": "jp1/data highway",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "openssl",
"scope": null,
"trust": 0.8,
"vendor": "openssl",
"version": null
},
{
"model": "ucosminexus primary server",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "ucosminexus developer",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "ubuntu",
"scope": null,
"trust": 0.8,
"vendor": "canonical",
"version": null
},
{
"model": "ucosminexus service platform",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "santricity smi-s provider",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "gnu/linux",
"scope": null,
"trust": 0.8,
"vendor": "debian",
"version": null
},
{
"model": "ontap select deploy administration utility",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "jp1/it desktop management 2",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "jp1/performance management",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "ontap select deploy",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "snapdrive",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "oncommand unified manager",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "jp1/automatic operation",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "cosminexus http server",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
},
{
"model": "hyper converged infrastructure",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "element software",
"scope": null,
"trust": 0.8,
"vendor": "netapp",
"version": null
},
{
"model": "ucosminexus application server",
"scope": null,
"trust": 0.8,
"vendor": "\u65e5\u7acb",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-002098"
},
{
"db": "NVD",
"id": "CVE-2019-1559"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt,Red Hat,Slackware Security Team,Juraj Somorovsky",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201902-956"
}
],
"trust": 0.6
},
"cve": "CVE-2019-1559",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2019-1559",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-147651",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"id": "CVE-2019-1559",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.9,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2019-1559",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2019-1559",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2019-1559",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-201902-956",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-147651",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2019-1559",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-147651"
},
{
"db": "VULMON",
"id": "CVE-2019-1559"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002098"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-956"
},
{
"db": "NVD",
"id": "CVE-2019-1559"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). OpenSSL Contains an information disclosure vulnerability.Information may be obtained. The product supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, secure hash algorithms, etc. A vulnerability in OpenSSL could allow an unauthenticated, remote malicious user to access sensitive information on a targeted system. An attacker who is able to perform man-in-the-middle attacks could exploit the vulnerability by persuading a user to access a link that submits malicious input to the affected software. A successful exploit could allow the malicious user to intercept and modify the browser requests and then observe the server behavior in order to conduct a padding oracle attack and decrypt sensitive information. \n\nThis issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram,\nwith additional investigation by Steven Collison and Andrew Hourselt. It was\nreported to OpenSSL on 10th December 2018. \n\nNote: Advisory updated to make it clearer that AEAD ciphersuites are not impacted. \n\nNote\n====\n\nOpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support\nfor 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th\nSeptember 2019. Users of these versions should upgrade to OpenSSL 1.1.1. \n\nReferences\n==========\n\nURL for this Security Advisory:\nhttps://www.openssl.org/news/secadv/20190226.txt\n\nNote: the online version of the advisory may be updated with additional details\nover time. \n\nFor details of OpenSSL severity classifications please see:\nhttps://www.openssl.org/policies/secpolicy.html\n. The appliance is available\nto download as an OVA file from the Customer Portal. \n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 1.0.2r-1~deb9u1. \n\nFor the detailed security status of openssl1.0 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openssl1.0\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlx4WgkACgkQEMKTtsN8\nTjZZCQ//UdQ3Bi/ZSQJ2yzW7MkbuaHla53iUhztTy2Zrype++NX4tXqqBl+xY9Eu\n1D747Y1c2GZ949UaPbIvp8wLCvvxR5A4Tmx4sU3ZOOHXrlsZ5loYg66MslGUOMOU\nz7zaqXTg3as8wfD6ND5Zd4tP0iLyst8Vyi0W7PuFovLoPAc3/XcMaXghSwabs+JY\n3KZuB4UlbOiEnO+6Mf5ghWQYBtN7y/QAVNWREfLmhpx2UY8F7Ia28bR9pXknxkl5\nRuN9WH2BtXI4/JiL0TlkAua51NE+vXciPv+Dh4gkQNPWF/rfL9IL5AxjrgojysHf\nOhZaDcYpOPCXZmiA49JOXJOrIw73Zd9NZmgA1ZXQY1ECQDJ8dB9mSJj1KsUId+Id\neTbRRbWwpzSQd5qc4h4NKjeIwA04a3JecDibD3pwf3+qn9sw8xQ/rfAl2byGRbEN\nFUDT65AIw4CFQDJeIE/vBZqCFhY2aIbRoibpZnp0XsROkw8xKQiH0Kgo7gjsoozT\nwHYK/rlvaZwbnLG7E8pUUj9Xr8OM9Wn/y7kzyHVekGUcDef3F1pPJ9CYsdppx+Zv\nMkoFNxc9GZ+Kn2i4l14I3hvwQ4Sy3owNjnTYFQ28yd+MRZoMw+nyXW1i7OCu+KFH\n7OQkd5qNDh8iotsaUKT0DQOOL74UDgEPv2x02ahujRl+I3YDDdM=NRWo\n-----END PGP SIGNATURE-----\n. ==========================================================================\nUbuntu Security Notice USN-4376-2\nJuly 09, 2020\n\nopenssl vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 14.04 ESM\n- Ubuntu 12.04 ESM\n\nSummary:\n\nSeveral security issues were fixed in OpenSSL. This update provides\nthe corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. \n\nOriginal advisory details:\n\n Cesar Pereida Garc\\xeda, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin,\n Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL\n incorrectly handled ECDSA signatures. An attacker could possibly use this\n issue to perform a timing side-channel attack and recover private ECDSA\n keys. A remote attacker could possibly use this issue to decrypt\n data. (CVE-2019-1559)\n\n Bernd Edlinger discovered that OpenSSL incorrectly handled certain\n decryption functions. (CVE-2019-1563)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 14.04 ESM:\n libssl1.0.0 1.0.1f-1ubuntu2.27+esm1\n\nUbuntu 12.04 ESM:\n libssl1.0.0 1.0.1-4ubuntu5.44\n\nAfter a standard system update you need to reboot your computer to make\nall the necessary changes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory GLSA 201903-10\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n Title: OpenSSL: Multiple vulnerabilities\n Date: March 14, 2019\n Bugs: #673056, #678564\n ID: 201903-10\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple Information Disclosure vulnerabilities in OpenSSL allow\nattackers to obtain sensitive information. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 dev-libs/openssl \u003c 1.0.2r \u003e= 1.0.2r \n\nDescription\n===========\n\nMultiple vulnerabilities have been discovered in OpenSSL. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n======\n\nA remote attacker to obtain sensitive information, caused by the\nfailure to immediately close the TCP connection after the hosts\nencounter a zero-length record with valid padding. \n\nA local attacker could run a malicious process next to legitimate\nprocesses using the architectureas parallel thread running capabilities\nto leak encrypted data from the CPU\u0027s internal processes. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll OpenSSL users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose \"\u003e=dev-libs/openssl-1.0.2r\"\n\nReferences\n==========\n\n[ 1 ] CVE-2018-5407\n https://nvd.nist.gov/vuln/detail/CVE-2018-5407\n[ 2 ] CVE-2019-1559\n https://nvd.nist.gov/vuln/detail/CVE-2019-1559\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/201903-10\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2019 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. 6) - i386, x86_64\n\n3. Description:\n\nRed Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the Apache\nTomcat Servlet container, JBoss HTTP Connector (mod_cluster), the\nPicketLink Vault extension for Apache Tomcat, and the Tomcat Native\nlibrary. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: openssl security and bug fix update\nAdvisory ID: RHSA-2019:2304-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2019:2304\nIssue date: 2019-08-06\nCVE Names: CVE-2018-0734 CVE-2019-1559\n====================================================================\n1. Summary:\n\nAn update for openssl is now available for Red Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - x86_64\nRed Hat Enterprise Linux Client Optional (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode (v. 7) - x86_64\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64\nRed Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64\nRed Hat Enterprise Linux Workstation (v. 7) - x86_64\nRed Hat Enterprise Linux Workstation Optional (v. 7) - x86_64\n\n3. Description:\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and\nTransport Layer Security (TLS) protocols, as well as a full-strength\ngeneral-purpose cryptography library. \n\nSecurity Fix(es):\n\n* openssl: 0-byte record padding oracle (CVE-2019-1559)\n\n* openssl: timing side channel attack in the DSA signature algorithm\n(CVE-2018-0734)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.7 Release Notes linked from the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library\nmust be restarted, or the system rebooted. \n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1644364 - CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm\n1649568 - openssl: microarchitectural and timing side channel padding oracle attack against RSA\n1683804 - CVE-2019-1559 openssl: 0-byte record padding oracle\n\n6. Package List:\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\nopenssl-1.0.2k-19.el7.src.rpm\n\nx86_64:\nopenssl-1.0.2k-19.el7.x86_64.rpm\nopenssl-debuginfo-1.0.2k-19.el7.i686.rpm\nopenssl-debuginfo-1.0.2k-19.el7.x86_64.rpm\nopenssl-libs-1.0.2k-19.el7.i686.rpm\nopenssl-libs-1.0.2k-19.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nx86_64:\nopenssl-debuginfo-1.0.2k-19.el7.i686.rpm\nopenssl-debuginfo-1.0.2k-19.el7.x86_64.rpm\nopenssl-devel-1.0.2k-19.el7.i686.rpm\nopenssl-devel-1.0.2k-19.el7.x86_64.rpm\nopenssl-perl-1.0.2k-19.el7.x86_64.rpm\nopenssl-static-1.0.2k-19.el7.i686.rpm\nopenssl-static-1.0.2k-19.el7.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\nopenssl-1.0.2k-19.el7.src.rpm\n\nx86_64:\nopenssl-1.0.2k-19.el7.x86_64.rpm\nopenssl-debuginfo-1.0.2k-19.el7.i686.rpm\nopenssl-debuginfo-1.0.2k-19.el7.x86_64.rpm\nopenssl-libs-1.0.2k-19.el7.i686.rpm\nopenssl-libs-1.0.2k-19.el7.x86_64.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nx86_64:\nopenssl-debuginfo-1.0.2k-19.el7.i686.rpm\nopenssl-debuginfo-1.0.2k-19.el7.x86_64.rpm\nopenssl-devel-1.0.2k-19.el7.i686.rpm\nopenssl-devel-1.0.2k-19.el7.x86_64.rpm\nopenssl-perl-1.0.2k-19.el7.x86_64.rpm\nopenssl-static-1.0.2k-19.el7.i686.rpm\nopenssl-static-1.0.2k-19.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nopenssl-1.0.2k-19.el7.src.rpm\n\nppc64:\nopenssl-1.0.2k-19.el7.ppc64.rpm\nopenssl-debuginfo-1.0.2k-19.el7.ppc.rpm\nopenssl-debuginfo-1.0.2k-19.el7.ppc64.rpm\nopenssl-devel-1.0.2k-19.el7.ppc.rpm\nopenssl-devel-1.0.2k-19.el7.ppc64.rpm\nopenssl-libs-1.0.2k-19.el7.ppc.rpm\nopenssl-libs-1.0.2k-19.el7.ppc64.rpm\n\nppc64le:\nopenssl-1.0.2k-19.el7.ppc64le.rpm\nopenssl-debuginfo-1.0.2k-19.el7.ppc64le.rpm\nopenssl-devel-1.0.2k-19.el7.ppc64le.rpm\nopenssl-libs-1.0.2k-19.el7.ppc64le.rpm\n\ns390x:\nopenssl-1.0.2k-19.el7.s390x.rpm\nopenssl-debuginfo-1.0.2k-19.el7.s390.rpm\nopenssl-debuginfo-1.0.2k-19.el7.s390x.rpm\nopenssl-devel-1.0.2k-19.el7.s390.rpm\nopenssl-devel-1.0.2k-19.el7.s390x.rpm\nopenssl-libs-1.0.2k-19.el7.s390.rpm\nopenssl-libs-1.0.2k-19.el7.s390x.rpm\n\nx86_64:\nopenssl-1.0.2k-19.el7.x86_64.rpm\nopenssl-debuginfo-1.0.2k-19.el7.i686.rpm\nopenssl-debuginfo-1.0.2k-19.el7.x86_64.rpm\nopenssl-devel-1.0.2k-19.el7.i686.rpm\nopenssl-devel-1.0.2k-19.el7.x86_64.rpm\nopenssl-libs-1.0.2k-19.el7.i686.rpm\nopenssl-libs-1.0.2k-19.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\nppc64:\nopenssl-debuginfo-1.0.2k-19.el7.ppc.rpm\nopenssl-debuginfo-1.0.2k-19.el7.ppc64.rpm\nopenssl-perl-1.0.2k-19.el7.ppc64.rpm\nopenssl-static-1.0.2k-19.el7.ppc.rpm\nopenssl-static-1.0.2k-19.el7.ppc64.rpm\n\nppc64le:\nopenssl-debuginfo-1.0.2k-19.el7.ppc64le.rpm\nopenssl-perl-1.0.2k-19.el7.ppc64le.rpm\nopenssl-static-1.0.2k-19.el7.ppc64le.rpm\n\ns390x:\nopenssl-debuginfo-1.0.2k-19.el7.s390.rpm\nopenssl-debuginfo-1.0.2k-19.el7.s390x.rpm\nopenssl-perl-1.0.2k-19.el7.s390x.rpm\nopenssl-static-1.0.2k-19.el7.s390.rpm\nopenssl-static-1.0.2k-19.el7.s390x.rpm\n\nx86_64:\nopenssl-debuginfo-1.0.2k-19.el7.i686.rpm\nopenssl-debuginfo-1.0.2k-19.el7.x86_64.rpm\nopenssl-perl-1.0.2k-19.el7.x86_64.rpm\nopenssl-static-1.0.2k-19.el7.i686.rpm\nopenssl-static-1.0.2k-19.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nopenssl-1.0.2k-19.el7.src.rpm\n\nx86_64:\nopenssl-1.0.2k-19.el7.x86_64.rpm\nopenssl-debuginfo-1.0.2k-19.el7.i686.rpm\nopenssl-debuginfo-1.0.2k-19.el7.x86_64.rpm\nopenssl-devel-1.0.2k-19.el7.i686.rpm\nopenssl-devel-1.0.2k-19.el7.x86_64.rpm\nopenssl-libs-1.0.2k-19.el7.i686.rpm\nopenssl-libs-1.0.2k-19.el7.x86_64.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nx86_64:\nopenssl-debuginfo-1.0.2k-19.el7.i686.rpm\nopenssl-debuginfo-1.0.2k-19.el7.x86_64.rpm\nopenssl-perl-1.0.2k-19.el7.x86_64.rpm\nopenssl-static-1.0.2k-19.el7.i686.rpm\nopenssl-static-1.0.2k-19.el7.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2018-0734\nhttps://access.redhat.com/security/cve/CVE-2019-1559\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.7_release_notes/index\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2019 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXUl3otzjgjWX9erEAQgZQQ//XNcjRJGLVmjAzbVGiwxEqfFUvDVNiu97\nfW0vLXuV9TnQTveOVqOAWmmMv2iShkVIRPDvzlOfUsYrrDEYHKr0N38R/fhDEZsM\nWQrJh54WK9IjEGNevLTCePKMhVuII1WnHrLDwZ6hxYGdcap/sJrf+N428b5LvHbM\nB39vWl3vqJYXoiI5dmIYL8ko2SfLms5Cg+dR0hLrNohf9gK2La+jhWb/j2xw6X6q\n/LXw5+hi/G+USbnNFfjt9G0fNjMMZRX2bukUvY6UWJRYTOXpIUOFqqp5w9zgM7tZ\nuX7TMTC9xe6te4mBCAFDdt+kYYLYSHfSkFlFq+S7V0MY8DmnIzqBJE4lJIDTVp9F\nJbrMIPs9G5jdnzPUKZw/gH9WLgka8Q8AYI+KA2xSxFX9VZ20Z+EDDC9/4uwj3i0A\ngLeIB68OwD70jn4sjuQqizr7TCviQhTUoKVd/mTBAxSEFZLcE8Sy/BEYxLPm81z0\nveL16l6pmfg9uLac4V576ImfYNWlBEnJspA5E9K5CqQRPuZpCQFov7/D17Qm8v/x\nIcVKUaXiGquBwzHmIsD5lTCpl7CrGoU1PfNJ6Y/4xrVFOh1DLA4y6nnfysyO9eZx\nzBfuYS2VmfIq/tp1CjagI/DmJC4ezXeE4Phq9jm0EBASXtnLzVmc5j7kkqWjCcfm\nBtpJTAdr1kE=7kKR\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. These packages include redhat-release-virtualization-host,\novirt-node, and rhev-hypervisor. RHVH features a Cockpit user\ninterface for monitoring the host\u0027s resources and performing administrative\ntasks. \n\nThe following packages have been upgraded to a later upstream version:\nimgbased (1.1.9), ovirt-node-ng (4.3.5), redhat-release-virtualization-host\n(4.3.5), redhat-virtualization-host (4.3.5). Bugs fixed (https://bugzilla.redhat.com/):\n\n1640820 - CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions\n1658366 - CVE-2018-16881 rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled\n1683804 - CVE-2019-1559 openssl: 0-byte record padding oracle\n1687920 - RHVH fails to reinstall if required size is exceeding the available disk space due to anaconda bug\n1694065 - CVE-2019-0161 edk2: stack overflow in XHCI causing denial of service\n1702223 - Rebase RHV-H on RHEL 7.7\n1709829 - CVE-2019-10139 cockpit-ovirt: admin and appliance passwords saved in plain text variable file during HE deployment\n1718388 - CVE-2019-10160 python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc\n1720156 - RHVH 4.3.4 version info is incorrect in plymouth and \"/etc/os-release\"\n1720160 - RHVH 4.3.4: Incorrect info in /etc/system-release-cpe\n1720310 - RHV-H post-installation scripts failing, due to existing tags\n1720434 - RHVH 7.7 brand is wrong in Anaconda GUI. \n1720435 - Failed to install RHVH 7.7\n1720436 - RHVH 7.7 should based on RHEL 7.7 server but not workstation. \n1724044 - Failed dependencies occur during install systemtap package. \n1726534 - dhclient fails to load libdns-export.so.1102 after upgrade if the user installed library is not persisted on the new layer\n1727007 - Update RHVH 7.7 branding with new Red Hat logo\n1727859 - Failed to boot after upgrading a host with a custom kernel\n1728998 - \"nodectl info\" displays error after RHVH installation\n1729023 - The error message is inappropriate when run `imgbase layout --init` on current layout\n\n6. \n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n+--------------------------+\npatches/packages/openssl-1.0.2r-i586-1_slack14.2.txz: Upgraded. \n Go into the error state if a fatal alert is sent or received. \n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559\n (* Security fix *)\npatches/packages/openssl-solibs-1.0.2r-i586-1_slack14.2.txz: Upgraded. \n+--------------------------+\n\n\nWhere to find the new packages:\n+-----------------------------+\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you. \n\nUpdated packages for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssl-1.0.2r-i586-1_slack14.2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssl-solibs-1.0.2r-i586-1_slack14.2.txz\n\nUpdated packages for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssl-1.0.2r-x86_64-1_slack14.2.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssl-solibs-1.0.2r-x86_64-1_slack14.2.txz\n\n\nMD5 signatures:\n+-------------+\n\nSlackware 14.2 packages:\nb23a71963648d515630497f203eefab8 openssl-1.0.2r-i586-1_slack14.2.txz\n8b04a9be9b78052791f02428be44a639 openssl-solibs-1.0.2r-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 packages:\nc183c2ad507a65020f13c0dc154c0b11 openssl-1.0.2r-x86_64-1_slack14.2.txz\nd656915855edd6365636ac558b8180cb openssl-solibs-1.0.2r-x86_64-1_slack14.2.txz\n\n\nInstallation instructions:\n+------------------------+\n\nUpgrade the packages as root:\n# upgradepkg openssl-1.0.2r-i586-1_slack14.2.txz openssl-solibs-1.0.2r-i586-1_slack14.2.txz\n\n\n+-----+\n\nSlackware Linux Security Team\nhttp://slackware.com/gpg-key\nsecurity@slackware.com\n\n+------------------------------------------------------------------------+\n| To leave the slackware-security mailing list: |\n+------------------------------------------------------------------------+\n| Send an email to majordomo@slackware.com with this text in the body of |\n| the email message: |\n| |\n| unsubscribe slackware-security |\n| |\n| You will get a confirmation message back containing instructions to |\n| complete the process. Please do not reply to this email address",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-1559"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002098"
},
{
"db": "VULHUB",
"id": "VHN-147651"
},
{
"db": "VULMON",
"id": "CVE-2019-1559"
},
{
"db": "PACKETSTORM",
"id": "169635"
},
{
"db": "PACKETSTORM",
"id": "154009"
},
{
"db": "PACKETSTORM",
"id": "151918"
},
{
"db": "PACKETSTORM",
"id": "158377"
},
{
"db": "PACKETSTORM",
"id": "152084"
},
{
"db": "PACKETSTORM",
"id": "154042"
},
{
"db": "PACKETSTORM",
"id": "155415"
},
{
"db": "PACKETSTORM",
"id": "153932"
},
{
"db": "PACKETSTORM",
"id": "154008"
},
{
"db": "PACKETSTORM",
"id": "151886"
}
],
"trust": 2.7
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-1559",
"trust": 3.6
},
{
"db": "TENABLE",
"id": "TNS-2019-03",
"trust": 1.8
},
{
"db": "TENABLE",
"id": "TNS-2019-02",
"trust": 1.8
},
{
"db": "MCAFEE",
"id": "SB10282",
"trust": 1.8
},
{
"db": "BID",
"id": "107174",
"trust": 1.8
},
{
"db": "PACKETSTORM",
"id": "151886",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002098",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201902-956",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "158377",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "155415",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2019.4479.2",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.3729",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.0102",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2383",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.3462",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.0487",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4083",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.0620",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.0751.2",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.4558",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.0696",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.0192",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.4479",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.0032",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.4255",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.4297",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.0666",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.4405",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.3390.4",
"trust": 0.6
},
{
"db": "PULSESECURE",
"id": "SA44019",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "151918",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "154042",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "151885",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-147651",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2019-1559",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "169635",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "154009",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "152084",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "153932",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "154008",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-147651"
},
{
"db": "VULMON",
"id": "CVE-2019-1559"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002098"
},
{
"db": "PACKETSTORM",
"id": "169635"
},
{
"db": "PACKETSTORM",
"id": "154009"
},
{
"db": "PACKETSTORM",
"id": "151918"
},
{
"db": "PACKETSTORM",
"id": "158377"
},
{
"db": "PACKETSTORM",
"id": "152084"
},
{
"db": "PACKETSTORM",
"id": "154042"
},
{
"db": "PACKETSTORM",
"id": "155415"
},
{
"db": "PACKETSTORM",
"id": "153932"
},
{
"db": "PACKETSTORM",
"id": "154008"
},
{
"db": "PACKETSTORM",
"id": "151886"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-956"
},
{
"db": "NVD",
"id": "CVE-2019-1559"
}
]
},
"id": "VAR-201902-0192",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-147651"
}
],
"trust": 0.3990740766666666
},
"last_update_date": "2024-11-29T21:28:53.683000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "hitachi-sec-2019-132 Software product security information",
"trust": 0.8,
"url": "https://usn.ubuntu.com/3899-1/"
},
{
"title": "OpenSSL Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89673"
},
{
"title": "Red Hat: Moderate: openssl security and bug fix update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20192304 - Security Advisory"
},
{
"title": "Red Hat: Moderate: openssl security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20192471 - Security Advisory"
},
{
"title": "Ubuntu Security Notice: openssl, openssl1.0 vulnerability",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-3899-1"
},
{
"title": "Debian Security Advisories: DSA-4400-1 openssl1.0 -- security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=675a6469b3fad3c9a56addc922ae8d9d"
},
{
"title": "Red Hat: Moderate: rhvm-appliance security, bug fix, and enhancement update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20192439 - Security Advisory"
},
{
"title": "Red Hat: Moderate: Red Hat JBoss Web Server 5.2 security release",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20193929 - Security Advisory"
},
{
"title": "Red Hat: Moderate: Red Hat JBoss Web Server 5.2 security release",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20193931 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat Virtualization security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20192437 - Security Advisory"
},
{
"title": "Red Hat: CVE-2019-1559",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2019-1559"
},
{
"title": "Arch Linux Advisories: [ASA-201903-2] openssl-1.0: information disclosure",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-201903-2"
},
{
"title": "Arch Linux Advisories: [ASA-201903-6] lib32-openssl-1.0: information disclosure",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=ASA-201903-6"
},
{
"title": "Arch Linux Issues: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2019-1559"
},
{
"title": "Amazon Linux AMI: ALAS-2019-1188",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2019-1188"
},
{
"title": "Amazon Linux 2: ALAS2-2019-1362",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2-2019-1362"
},
{
"title": "Amazon Linux 2: ALAS2-2019-1188",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2-2019-1188"
},
{
"title": "IBM: IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Spectrum Protect Backup-Archive Client NetApp Services (CVE-2019-1559)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=884ffe1be805ead0a804f06f7c14072c"
},
{
"title": "IBM: IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by openssl vulnerabilities (CVE-2019-1559)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=1092f7b64100b0110232688947fb97ed"
},
{
"title": "IBM: IBM Security Bulletin: Guardium StealthBits Integration is affected by an OpenSSL vulnerability",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=6b4ff04f16b62df96980d37251dc9ae0"
},
{
"title": "IBM: IBM Security Bulletin: IBM InfoSphere Master Data Management Standard and Advanced Editions are affected by vulnerabilities in OpenSSL (CVE-2019-1559)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=7856a174f729c96cf2ba970cfef5f604"
},
{
"title": "IBM: IBM Security Bulletin: OpenSSL vulnerability affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-1559)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=04a72ac59f1cc3a5b02c155d941c5cfd"
},
{
"title": "IBM: IBM Security Bulletin: IBM DataPower Gateway is affected by a padding oracle vulnerability (CVE-2019-1559)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=9c55c211aa2410823d4d568143afa117"
},
{
"title": "IBM: Security Bulletin: OpenSSL vulnerabilites impacting Aspera High-Speed Transfer Server, Aspera Desktop Client 3.9.1 and earlier (CVE-2019-1559)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=c233af3070d7248dcbafadb6b367e2a1"
},
{
"title": "IBM: IBM Security Bulletin: IBM QRadar Network Security is affected by openssl vulnerabilities (CVE-2019-1559, CVE-2018-0734)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=7ceb7cf440b088f91358d1c597d5a414"
},
{
"title": "IBM: IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Rational ClearCase (CVE-2019-1559)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=c0b11f80d1ecd798a97f3bda2b68f830"
},
{
"title": "IBM: IBM Security Bulletin: Vulnerability CVE-2019-1559 in OpenSSL affects IBM i",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=12860155d0bf31ea6e2e3ffcef7ea7e0"
},
{
"title": "IBM: IBM Security Bulletin: Vulnerability in OpenSSL affects AIX (CVE-2019-1559) Security Bulletin",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=2709308a62e1e2fafc2e4989ef440aa3"
},
{
"title": "IBM: IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Worklight and IBM MobileFirst Platform Foundation",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=1b873a45dce8bb56ff011908a9402b67"
},
{
"title": "IBM: IBM Security Bulletin: Node.js as used in IBM QRadar Packet Capture is vulnerable to the following CVE\u2019s (CVE-2019-1559, CVE-2019-5737, CVE-2019-5739)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=aae1f2192c5cf9375ed61f7a27d08f64"
},
{
"title": "IBM: IBM Security Bulletin: Multiple Security Vulnerabilities affect IBM Cloud Private (CVE-2019-5739 CVE-2019-5737 CVE-2019-1559)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=8b00742d4b57e0eaab4fd3f9a2125634"
},
{
"title": "IBM: IBM Security Bulletin: Vulnerabilities in OpenSSL affect GCM16 \u0026 GCM32 and LCM8 \u0026 LCM16 KVM Switch Firmware (CVE-2018-0732 CVE-2019-1559)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=ca67e77b9edd2ad304d2f2da1853223f"
},
{
"title": "IBM: IBM Security Bulletin: Vulnerabilities in GNU OpenSSL (1.0.2 series) affect IBM Netezza Analytics",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=ac5ccbde4e4ddbcabd10cacf82487a11"
},
{
"title": "IBM: Security Bulletin: Vulnerabities in SSL in IBM DataPower Gateway",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=5fc1433ca504461e3bbb1d30e408592c"
},
{
"title": "Hitachi Security Advisories: Vulnerability in Cosminexus HTTP Server",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories\u0026qid=hitachi-sec-2019-112"
},
{
"title": "Hitachi Security Advisories: Vulnerability in JP1",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories\u0026qid=hitachi-sec-2019-132"
},
{
"title": "IBM: IBM Security Bulletin: Security vulnerabilities identified in OpenSSL affect Rational Build Forge (CVE-2018-0734, CVE-2018-5407 and CVE-2019-1559)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=e59d7f075c856823d6f7370dea35e662"
},
{
"title": "Debian CVElist Bug Report Logs: mysql-5.7: Security fixes from the April 2019 CPU",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=5f1bd0287d0770973261ab8500c6982b"
},
{
"title": "IBM: IBM Security Bulletin: Vulnerability in Node.js affects IBM Integration Bus \u0026 IBM App Connect Enterprise V11",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=1a7cb34592ef045ece1d2b32c150f2a2"
},
{
"title": "IBM: IBM Security Bulletin: Secure Gateway is affected by multiple vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=28830011b173eee360fbb2a55c68c9d3"
},
{
"title": "IBM: IBM Security Bulletin: Multiple vulnerabilities affect IBM\u00ae SDK for Node.js\u2122 in IBM Cloud",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=8db7a9036f52f1664d12ac73d7a3506f"
},
{
"title": "IBM: IBM Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and IBM Business Process Manager (BPM)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=6b74f45222d8029af7ffef49314f6056"
},
{
"title": "Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - April 2019",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins\u0026qid=4ee609eeae78bbbd0d0c827f33a7f87f"
},
{
"title": "Tenable Security Advisories: [R1] Nessus Agent 7.4.0 Fixes One Third-party Vulnerability",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories\u0026qid=TNS-2019-03"
},
{
"title": "Forcepoint Security Advisories: CVE-2018-0734 and CVE-2019-1559 (OpenSSL)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=forcepoint_security_advisories\u0026qid=b508c983da563a8786bf80c360afb887"
},
{
"title": "Hitachi Security Advisories: Multiple Vulnerabilities in JP1/Automatic Job Management System 3 - Web Operation Assistant",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=hitachi_security_advisories\u0026qid=hitachi-sec-2021-121"
},
{
"title": "Palo Alto Networks Security Advisory: ",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=palo_alto_networks_security_advisory\u0026qid=217c2f4028735d91500e325e8ba1cbba"
},
{
"title": "Palo Alto Networks Security Advisory: CVE-2019-1559 OpenSSL vulnerability CVE-2019-1559 has been resolved in PAN-OS",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=palo_alto_networks_security_advisory\u0026qid=a16107c1f899993837417057168db200"
},
{
"title": "IBM: IBM Security Bulletin:IBM Security Identity Adapters has released a fix in response to the OpenSSL vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=00b8bc7d11e5484e8721f3f62ec2ce87"
},
{
"title": "IBM: Security Bulletin: Vulnerabilities have been identified in OpenSSL and the Kernel shipped with the DS8000 Hardware Management Console (HMC)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=423d1da688755122eb2591196e4cc160"
},
{
"title": "IBM: IBM Security Bulletin: Multiple vulnerabilities affect IBM Watson Assistant for IBM Cloud Pak for Data",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=1e6142e07a3e9637110bdfa17e331459"
},
{
"title": "IBM: IBM Security Bulletin: Multiple Vulnerabilities in Watson Openscale (Liberty, Java, node.js)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=a47e10150b300f15d2fd55b9cdaed12d"
},
{
"title": "Tenable Security Advisories: [R1] Nessus 8.3.0 Fixes Multiple Third-party Vulnerabilities",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories\u0026qid=TNS-2019-02"
},
{
"title": "IBM: IBM Security Bulletin: BigFix Platform 9.5.x / 9.2.x affected by multiple vulnerabilities (CVE-2018-16839, CVE-2018-16842, CVE-2018-16840, CVE-2019-3823, CVE-2019-3822, CVE-2018-16890, CVE-2019-4011, CVE-2018-2005, CVE-2019-4058, CVE-2019-1559)",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=0b05dc856c1be71db871bcea94f6fa8d"
},
{
"title": "IBM: IBM Security Bulletin: Multiple Security Vulnerabilities have been addressed in IBM Security Access Manager Appliance",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=800337bc69aa7ad92ac88a2adcc7d426"
},
{
"title": "IBM: IBM Security Bulletin: Vyatta 5600 vRouter Software Patches \u2013 Releases 1801-w and 1801-y",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=bf3f2299a8658b7cd3984c40e7060666"
},
{
"title": "Siemens Security Advisories: Siemens Security Advisory",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories\u0026qid=ec6577109e640dac19a6ddb978afe82d"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/Live-Hack-CVE/CVE-2019-1559 "
},
{
"title": "Centos-6-openssl-1.0.1e-58.pd1trfir",
"trust": 0.1,
"url": "https://github.com/daTourist/Centos-6-openssl-1.0.1e-58.pd1trfir "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/tls-attacker/TLS-Padding-Oracles "
},
{
"title": "TLS-Padding-Oracles",
"trust": 0.1,
"url": "https://github.com/RUB-NDS/TLS-Padding-Oracles "
},
{
"title": "vyger",
"trust": 0.1,
"url": "https://github.com/mrodden/vyger "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/vincent-deng/veracode-container-security-finding-parser "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2019-1559"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002098"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-956"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-203",
"trust": 1.1
},
{
"problemtype": "information leak (CWE-200) [NVD Evaluation ]",
"trust": 0.8
},
{
"problemtype": "CWE-200",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-147651"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002098"
},
{
"db": "NVD",
"id": "CVE-2019-1559"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.6,
"url": "http://www.securityfocus.com/bid/107174"
},
{
"trust": 2.5,
"url": "https://access.redhat.com/errata/rhsa-2019:3929"
},
{
"trust": 2.4,
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"trust": 2.4,
"url": "https://access.redhat.com/errata/rhsa-2019:3931"
},
{
"trust": 2.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-1559"
},
{
"trust": 2.0,
"url": "https://access.redhat.com/errata/rhsa-2019:2304"
},
{
"trust": 1.9,
"url": "https://www.openssl.org/news/secadv/20190226.txt"
},
{
"trust": 1.9,
"url": "https://security.gentoo.org/glsa/201903-10"
},
{
"trust": 1.9,
"url": "https://access.redhat.com/errata/rhsa-2019:2437"
},
{
"trust": 1.9,
"url": "https://access.redhat.com/errata/rhsa-2019:2439"
},
{
"trust": 1.9,
"url": "https://access.redhat.com/errata/rhsa-2019:2471"
},
{
"trust": 1.9,
"url": "https://usn.ubuntu.com/3899-1/"
},
{
"trust": 1.8,
"url": "https://security.netapp.com/advisory/ntap-20190301-0001/"
},
{
"trust": 1.8,
"url": "https://security.netapp.com/advisory/ntap-20190301-0002/"
},
{
"trust": 1.8,
"url": "https://security.netapp.com/advisory/ntap-20190423-0002/"
},
{
"trust": 1.8,
"url": "https://www.tenable.com/security/tns-2019-02"
},
{
"trust": 1.8,
"url": "https://www.tenable.com/security/tns-2019-03"
},
{
"trust": 1.8,
"url": "https://www.debian.org/security/2019/dsa-4400"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"trust": 1.8,
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html"
},
{
"trust": 1.8,
"url": "https://usn.ubuntu.com/4376-2/"
},
{
"trust": 1.7,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10282"
},
{
"trust": 1.2,
"url": "https://support.f5.com/csp/article/k18549143"
},
{
"trust": 1.1,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ewc42uxl5ghtu5g77vkbf6jyuungshom/"
},
{
"trust": 1.1,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/zbev5qgdrfuzdmnecfxusn5fmyozde4v/"
},
{
"trust": 1.1,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/y3ivfgserazlnjck35tem2r4726xih3z/"
},
{
"trust": 1.1,
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3ba=commitdiff%3bh=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e"
},
{
"trust": 1.1,
"url": "https://support.f5.com/csp/article/k18549143?utm_source=f5support\u0026amp%3butm_medium=rss"
},
{
"trust": 0.7,
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/zbev5qgdrfuzdmnecfxusn5fmyozde4v/"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/y3ivfgserazlnjck35tem2r4726xih3z/"
},
{
"trust": 0.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ewc42uxl5ghtu5g77vkbf6jyuungshom/"
},
{
"trust": 0.6,
"url": "http://aix.software.ibm.com/aix/efixes/security/openssl_advisory30.asc"
},
{
"trust": 0.6,
"url": "https://kb.pulsesecure.net/articles/pulse_security_advisories/sa44019/?l=en_us\u0026atype=sa\u0026fs=search\u0026pn=1\u0026atype=sa"
},
{
"trust": 0.6,
"url": "https://www.oracle.com/technetwork/topics/security/bulletinapr2019-5462008.html"
},
{
"trust": 0.6,
"url": "https://github.com/rub-nds/tls-padding-oracles"
},
{
"trust": 0.6,
"url": "http://openssl.org/"
},
{
"trust": 0.6,
"url": "https://support.f5.com/csp/article/k18549143?utm_source=f5support\u0026utm_medium=rss"
},
{
"trust": 0.6,
"url": "https://support.symantec.com/us/en/article.symsa1490.html"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/1170328"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/1170340"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/1170334"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/1170322"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/1170352"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/1170346"
},
{
"trust": 0.6,
"url": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/"
},
{
"trust": 0.6,
"url": "https://www.suse.com/support/update/announcement/2019/suse-su-20190572-1/"
},
{
"trust": 0.6,
"url": "https://usn.ubuntu.com/4212-1/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/1115655"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/1115649"
},
{
"trust": 0.6,
"url": "https://www.hitachi.co.jp/prod/comp/soft1/global/security/info/vuls/ hitachi-sec-2019-132/index.html"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/2016771"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/2020677"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/2027745"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/1126581"
},
{
"trust": 0.6,
"url": "http://www.hitachi.co.jp/prod/comp/soft1/global/security/info/vuls/hitachi-sec-2019-132/index.html"
},
{
"trust": 0.6,
"url": "http://www.ubuntu.com/usn/usn-3899-1"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/76438"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-openssl-affect-ibm-tivoli-netcool-system-service-monitors-application-service-monitors-cve-2018-5407cve-2020-1967cve-2018-0734cve-2019-1563cve-2019/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4405/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/1116357"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4558/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4479/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.3729/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/76230"
},
{
"trust": 0.6,
"url": "https://www.oracle.com/security-alerts/cpujan2020verbose.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.0032/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.0487/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/1115643"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/openssl-1-0-2-information-disclosure-via-0-byte-record-padding-oracle-28600"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/3517185"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/1167202"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-openssl-as-used-by-ibm-qradar-siem-is-missing-a-required-cryptographic-step-cve-2019-1559/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.0192/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.3390.4/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-affects-ibm-integrated-analytics-system/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4479.2/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.3462/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4083"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/155415/red-hat-security-advisory-2019-3929-01.html"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/6520674"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0696"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been-identified-in-openssl-and-the-kernel-shipped-with-the-ds8000-hardware-management-console-hmc/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/76782"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-products-are-affected-by-the-following-opensll-vulnerability/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2383/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.4255/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4297/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.0102/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/1143442"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-in-openssh-and-openssl-shipped-with-ibm-security-access-manager-appliance-cve-2018-15473-cve-2019-1559/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/1105965"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/158377/ubuntu-security-notice-usn-4376-2.html"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/1106553"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-public-disclosed-vulnerability-from-openssl-affect-ibm-netezza-host-management/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/151886/slackware-security-advisory-openssl-updates.html"
},
{
"trust": 0.5,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.5,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2019-1559"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/articles/2974891"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2018-16881"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16881"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-5407"
},
{
"trust": 0.1,
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026amp;id=sb10282"
},
{
"trust": 0.1,
"url": "https://support.f5.com/csp/article/k18549143?utm_source=f5support\u0026amp;amp;utm_medium=rss"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/203.html"
},
{
"trust": 0.1,
"url": "https://github.com/live-hack-cve/cve-2019-1559"
},
{
"trust": 0.1,
"url": "https://tools.cisco.com/security/center/viewalert.x?alertid=59697"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.openssl.org/policies/secpolicy.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-3888"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-3888"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "https://security-tracker.debian.org/tracker/openssl1.0"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-1547"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-1563"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/4376-1"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/4376-2"
},
{
"trust": 0.1,
"url": "https://bugs.gentoo.org."
},
{
"trust": 0.1,
"url": "https://creativecommons.org/licenses/by-sa/2.5"
},
{
"trust": 0.1,
"url": "https://security.gentoo.org/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-10072"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-0221"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-10072"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-5407"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/5.2/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-0221"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.7_release_notes/index"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-0734"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-0734"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-10160"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-0161"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-16838"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-10160"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-16838"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-0161"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-10139"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-10139"
},
{
"trust": 0.1,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-1559"
},
{
"trust": 0.1,
"url": "http://slackware.com"
},
{
"trust": 0.1,
"url": "http://osuosl.org)"
},
{
"trust": 0.1,
"url": "http://slackware.com/gpg-key"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-147651"
},
{
"db": "VULMON",
"id": "CVE-2019-1559"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002098"
},
{
"db": "PACKETSTORM",
"id": "169635"
},
{
"db": "PACKETSTORM",
"id": "154009"
},
{
"db": "PACKETSTORM",
"id": "151918"
},
{
"db": "PACKETSTORM",
"id": "158377"
},
{
"db": "PACKETSTORM",
"id": "152084"
},
{
"db": "PACKETSTORM",
"id": "154042"
},
{
"db": "PACKETSTORM",
"id": "155415"
},
{
"db": "PACKETSTORM",
"id": "153932"
},
{
"db": "PACKETSTORM",
"id": "154008"
},
{
"db": "PACKETSTORM",
"id": "151886"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-956"
},
{
"db": "NVD",
"id": "CVE-2019-1559"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-147651"
},
{
"db": "VULMON",
"id": "CVE-2019-1559"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-002098"
},
{
"db": "PACKETSTORM",
"id": "169635"
},
{
"db": "PACKETSTORM",
"id": "154009"
},
{
"db": "PACKETSTORM",
"id": "151918"
},
{
"db": "PACKETSTORM",
"id": "158377"
},
{
"db": "PACKETSTORM",
"id": "152084"
},
{
"db": "PACKETSTORM",
"id": "154042"
},
{
"db": "PACKETSTORM",
"id": "155415"
},
{
"db": "PACKETSTORM",
"id": "153932"
},
{
"db": "PACKETSTORM",
"id": "154008"
},
{
"db": "PACKETSTORM",
"id": "151886"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-956"
},
{
"db": "NVD",
"id": "CVE-2019-1559"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-02-27T00:00:00",
"db": "VULHUB",
"id": "VHN-147651"
},
{
"date": "2019-02-27T00:00:00",
"db": "VULMON",
"id": "CVE-2019-1559"
},
{
"date": "2019-04-02T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-002098"
},
{
"date": "2019-02-26T12:12:12",
"db": "PACKETSTORM",
"id": "169635"
},
{
"date": "2019-08-12T17:13:13",
"db": "PACKETSTORM",
"id": "154009"
},
{
"date": "2019-03-01T14:06:40",
"db": "PACKETSTORM",
"id": "151918"
},
{
"date": "2020-07-09T18:42:27",
"db": "PACKETSTORM",
"id": "158377"
},
{
"date": "2019-03-14T16:23:47",
"db": "PACKETSTORM",
"id": "152084"
},
{
"date": "2019-08-13T17:44:04",
"db": "PACKETSTORM",
"id": "154042"
},
{
"date": "2019-11-20T20:44:44",
"db": "PACKETSTORM",
"id": "155415"
},
{
"date": "2019-08-06T21:09:19",
"db": "PACKETSTORM",
"id": "153932"
},
{
"date": "2019-08-12T17:13:02",
"db": "PACKETSTORM",
"id": "154008"
},
{
"date": "2019-02-27T19:22:00",
"db": "PACKETSTORM",
"id": "151886"
},
{
"date": "2019-02-26T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201902-956"
},
{
"date": "2019-02-27T23:29:00.277000",
"db": "NVD",
"id": "CVE-2019-1559"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-08-19T00:00:00",
"db": "VULHUB",
"id": "VHN-147651"
},
{
"date": "2023-11-07T00:00:00",
"db": "VULMON",
"id": "CVE-2019-1559"
},
{
"date": "2021-07-15T06:04:00",
"db": "JVNDB",
"id": "JVNDB-2019-002098"
},
{
"date": "2022-03-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201902-956"
},
{
"date": "2024-11-21T04:36:48.960000",
"db": "NVD",
"id": "CVE-2019-1559"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "169635"
},
{
"db": "CNNVD",
"id": "CNNVD-201902-956"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "OpenSSL\u00a0 Information Disclosure Vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-002098"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "information disclosure",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201902-956"
}
],
"trust": 0.6
}
}
var-202208-0404
Vulnerability from variot
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
This release includes security and bug fixes, and enhancements. Bugs fixed (https://bugzilla.redhat.com/):
2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic 2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server 2142799 - Release of OpenShift Serverless Serving 1.26.0 2142801 - Release of OpenShift Serverless Eventing 1.26.0
-
LOG-3252 - [release-5.4]Adding Valid Subscription Annotation
-
========================================================================== Ubuntu Security Notice USN-6736-2 May 23, 2024
klibc vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in klibc.
Software Description: - klibc: small utilities built with klibc for early boot
Details:
USN-6736-1 fixed vulnerabilities in klibc. This update provides the corresponding updates for Ubuntu 24.04 LTS.
Original advisory details:
It was discovered that zlib, vendored in klibc, incorrectly handled pointer arithmetic. An attacker could use this issue to cause klibc to crash or to possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841)
Danilo Ramos discovered that zlib, vendored in klibc, incorrectly handled memory when performing certain deflating operations. An attacker could use this issue to cause klibc to crash or to possibly execute arbitrary code. (CVE-2018-25032)
Evgeny Legerov discovered that zlib, vendored in klibc, incorrectly handled memory when performing certain inflate operations. An attacker could use this issue to cause klibc to crash or to possibly execute arbitrary code. (CVE-2022-37434)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 24.04 LTS klibc-utils 2.0.13-4ubuntu0.1 libklibc 2.0.13-4ubuntu0.1
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: rsync security and enhancement update Advisory ID: RHSA-2022:7793-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:7793 Issue date: 2022-11-08 CVE Names: CVE-2022-37434 ==================================================================== 1. Summary:
An update for rsync is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64
- Description:
The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.7 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2043753 - [RFE] Improve defaults for sparse file buffering. Package List:
Red Hat Enterprise Linux BaseOS (v. 8):
Source: rsync-3.1.3-19.el8.src.rpm
aarch64: rsync-3.1.3-19.el8.aarch64.rpm rsync-debuginfo-3.1.3-19.el8.aarch64.rpm rsync-debugsource-3.1.3-19.el8.aarch64.rpm
noarch: rsync-daemon-3.1.3-19.el8.noarch.rpm
ppc64le: rsync-3.1.3-19.el8.ppc64le.rpm rsync-debuginfo-3.1.3-19.el8.ppc64le.rpm rsync-debugsource-3.1.3-19.el8.ppc64le.rpm
s390x: rsync-3.1.3-19.el8.s390x.rpm rsync-debuginfo-3.1.3-19.el8.s390x.rpm rsync-debugsource-3.1.3-19.el8.s390x.rpm
x86_64: rsync-3.1.3-19.el8.x86_64.rpm rsync-debuginfo-3.1.3-19.el8.x86_64.rpm rsync-debugsource-3.1.3-19.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-37434 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBY2pSJ9zjgjWX9erEAQhctA/+LG9CKJG+ronMeYqaYry5AZbiLDWwxSoI N2WXEREzS8K0QNNPXpDVUGvaPcH45veL2eSxboIyarv9HzYrgB9QmEMB6TlLQdah T0bign9+51kyZXzP+QNxO09pv5ps0AUTZADy67pw2YCz3/NFVLKxAY35BoyBS7po eqvWSQXYrNjFzDrDfPL8hpPBQN+l6fZ4d3loF9aq06DNC/LYIDJ68JJLTkiwehjV ad/MqywMu26entrvK/CO1veaQkWi64WeKQSC8lCf97HONvgQKk75xJ20Z6p/RNou 82WQd2pKa9m6NwZPgIA6H+/S2yNGZnDLHitWzT5V7OfPpoOrh1sQnReuhT0F8bXh vsoGCyj+aVO/J4o/CdxWIcGxjd6SPx5wnmQPUdRNgbL/tBIxUIHjLj2CDrHgIH8S YikOcfquQ6os9OPdVS6P2KIIZJngmwCrxoJgk6fIgSSh+KcVhvjtLsqV6juGpuPw Jp0PK86R11LwjvCIHHUZbvTTIa4zpsQw+PQyIIv0N3qxnji5iog90zAm4MmTvjnA OJJu8CX1ayVzSc4Vh5wzDVaJG5wneHvVKmEa39OF+RGOB8vx5Dvn3dLFZNdK5Uko qINCliFhY2+nAj0wkUyhi8a2Ycsllerh4U5suqigGtzQXU6+hF9le2qymERCmkaT VzceG5KCVt4=u5mb -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Solution:
Before applying this update, ensure all previously released errata relevant to your system have been applied.
Follow the instructions linked in the References section to create service binding connections between applications and services using the Developer perspective in the OpenShift Container Platform web console. Bugs fixed (https://bugzilla.redhat.com/):
2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags
- JIRA issues fixed (https://issues.jboss.org/):
APPSVC-1220 - Fix CVE-2022-32149
- Description:
OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Bugs fixed (https://bugzilla.redhat.com/):
2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server 2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob 2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode 2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
- JIRA issues fixed (https://issues.jboss.org/):
OADP-1002 - DataMover: Backup partially fails for a namespace without PVC OADP-1016 - DataMover: Restore randomly fails with "secrets vsr-lttsv-secret already exists" error OADP-1020 - DataMover: restore partiallyFailed with "Plugin Panicked" error OADP-1027 - DataMover: VSB fails with error "cannot obtain source volumesnapshot" OADP-608 - Data mover restic secret does not support GCP OADP-609 - Data mover VSR validation for default volumesnapshotclass and storageclass OADP-611 - Data mover VSR resources are sometimes created multiple times with multiple PVCs OADP-612 - Data mover Backup & Restore needs to fail if a validation check fails OADP-642 - OADP CRD descriptions should use the same capitalization as yaml fields OADP-645 - Data mover performance on restore blocks restore process OADP-662 - VSB/VSR needs to fail if backup/restore partially fails or fails OADP-724 - Setting an excludedNamespace and includedNamespace in the same backup crashes velero OADP-725 - DC Restic Post Restore Script handle restore name longer than 63 characters OADP-731 - Backup partiallyFails with data mover if a stale snapshot is encountered OADP-741 - Data Mover VSB/VSR CRs do not include status on error OADP-774 - OADP must-gather is getting stuck OADP-794 - Second restore of CSI volume fails due to dataSource doesn't match dataSourceRef OADP-825 - CSI Volumesnapshot Deletion fails with nil pointer execption bug OADP-849 - DataMover: restore PartiallyFails randomly with "ReplicationDestination.volsync.backube xxxx not found" error OADP-927 - DataMover backup fails with nil pointer issue
- Description:
OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.
Bug Fix(es):
-
Cloning a Block DV to VM with Filesystem with not big enough size comes to endless loop - using pvc api (BZ#2033191)
-
Restart of VM Pod causes SSH keys to be regenerated within VM (BZ#2087177)
-
Import gzipped raw file causes image to be downloaded and uncompressed to TMPDIR (BZ#2089391)
-
[4.11] VM Snapshot Restore hangs indefinitely when backed by a snapshotclass (BZ#2098225)
-
Fedora version in DataImportCrons is not 'latest' (BZ#2102694)
-
[4.11] Cloned VM's snapshot restore fails if the source VM disk is deleted (BZ#2109407)
-
CNV introduces a compliance check fail in "ocp4-moderate" profile - routes-protected-by-tls (BZ#2110562)
-
Nightly build: v4.11.0-578: index format was changed in 4.11 to file-based instead of sqlite-based (BZ#2112643)
-
Unable to start windows VMs on PSI setups (BZ#2115371)
-
[4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24 (BZ#2128997)
-
Mark Windows 11 as TechPreview (BZ#2129013)
-
4.11.1 rpms (BZ#2139453)
This advisory contains the following OpenShift Virtualization 4.11.1 images.
RHEL-8-CNV-4.11
virt-cdi-operator-container-v4.11.1-5 virt-cdi-uploadserver-container-v4.11.1-5 virt-cdi-apiserver-container-v4.11.1-5 virt-cdi-importer-container-v4.11.1-5 virt-cdi-controller-container-v4.11.1-5 virt-cdi-cloner-container-v4.11.1-5 virt-cdi-uploadproxy-container-v4.11.1-5 checkup-framework-container-v4.11.1-3 kubevirt-tekton-tasks-wait-for-vmi-status-container-v4.11.1-7 kubevirt-tekton-tasks-create-datavolume-container-v4.11.1-7 kubevirt-template-validator-container-v4.11.1-4 virt-handler-container-v4.11.1-5 hostpath-provisioner-operator-container-v4.11.1-4 virt-api-container-v4.11.1-5 vm-network-latency-checkup-container-v4.11.1-3 cluster-network-addons-operator-container-v4.11.1-5 virtio-win-container-v4.11.1-4 virt-launcher-container-v4.11.1-5 ovs-cni-marker-container-v4.11.1-5 hyperconverged-cluster-webhook-container-v4.11.1-7 virt-controller-container-v4.11.1-5 virt-artifacts-server-container-v4.11.1-5 kubevirt-tekton-tasks-modify-vm-template-container-v4.11.1-7 kubevirt-tekton-tasks-disk-virt-customize-container-v4.11.1-7 libguestfs-tools-container-v4.11.1-5 hostpath-provisioner-container-v4.11.1-4 kubevirt-tekton-tasks-disk-virt-sysprep-container-v4.11.1-7 kubevirt-tekton-tasks-copy-template-container-v4.11.1-7 cnv-containernetworking-plugins-container-v4.11.1-5 bridge-marker-container-v4.11.1-5 virt-operator-container-v4.11.1-5 hostpath-csi-driver-container-v4.11.1-4 kubevirt-tekton-tasks-create-vm-from-template-container-v4.11.1-7 kubemacpool-container-v4.11.1-5 hyperconverged-cluster-operator-container-v4.11.1-7 kubevirt-ssp-operator-container-v4.11.1-4 ovs-cni-plugin-container-v4.11.1-5 kubevirt-tekton-tasks-cleanup-vm-container-v4.11.1-7 kubevirt-tekton-tasks-operator-container-v4.11.1-2 cnv-must-gather-container-v4.11.1-8 kubevirt-console-plugin-container-v4.11.1-9 hco-bundle-registry-container-v4.11.1-49
- Bugs fixed (https://bugzilla.redhat.com/):
2033191 - Cloning a Block DV to VM with Filesystem with not big enough size comes to endless loop - using pvc api 2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression 2070772 - When specifying pciAddress for several SR-IOV NIC they are not correctly propagated to libvirt XML 2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode 2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar 2087177 - Restart of VM Pod causes SSH keys to be regenerated within VM 2089391 - Import gzipped raw file causes image to be downloaded and uncompressed to TMPDIR 2091856 - ?Edit BootSource? action should have more explicit information when disabled 2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add 2098225 - [4.11] VM Snapshot Restore hangs indefinitely when backed by a snapshotclass 2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS 2102694 - Fedora version in DataImportCrons is not 'latest' 2109407 - [4.11] Cloned VM's snapshot restore fails if the source VM disk is deleted 2110562 - CNV introduces a compliance check fail in "ocp4-moderate" profile - routes-protected-by-tls 2112643 - Nightly build: v4.11.0-578: index format was changed in 4.11 to file-based instead of sqlite-based 2115371 - Unable to start windows VMs on PSI setups 2119613 - GiB changes to B in Template's Edit boot source reference modal 2128554 - The storageclass of VM disk is different from quick created and customize created after changed the default storageclass 2128872 - [4.11]Can't restore cloned VM 2128997 - [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24 2129013 - Mark Windows 11 as TechPreview 2129235 - [RFE] Add "Copy SSH command" to VM action list 2134668 - Cannot edit ssh even vm is stopped 2139453 - 4.11.1 rpms
- This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. Bugs fixed (https://bugzilla.redhat.com/):
2064319 - CVE-2022-23943 httpd: mod_sed: Read/write beyond bounds 2064320 - CVE-2022-22721 httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody 2081494 - CVE-2022-1292 openssl: c_rehash script allows command injection 2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request smuggling 2095000 - CVE-2022-28330 httpd: mod_isapi: out-of-bounds read 2095002 - CVE-2022-28614 httpd: Out-of-bounds read via ap_rwrite() 2095006 - CVE-2022-28615 httpd: Out-of-bounds read in ap_strcmp_match() 2095015 - CVE-2022-30522 httpd: mod_sed: DoS vulnerability 2095020 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism 2097310 - CVE-2022-2068 openssl: the c_rehash script allows command injection 2099300 - CVE-2022-32206 curl: HTTP compression denial of service 2099305 - CVE-2022-32207 curl: Unpreserved file permissions 2099306 - CVE-2022-32208 curl: FTP-KRB bad message verification 2116639 - CVE-2022-37434 zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field 2120718 - CVE-2022-35252 curl: control code in cookie denial of service 2130769 - CVE-2022-40674 expat: a use-after-free in the doContent function in xmlparse.c 2135411 - CVE-2022-32221 curl: POST following PUT confusion 2135413 - CVE-2022-42915 curl: HTTP proxy double-free 2135416 - CVE-2022-42916 curl: HSTS bypass via IDN 2136266 - CVE-2022-40303 libxml2: integer overflows with XML_PARSE_HUGE 2136288 - CVE-2022-40304 libxml2: dict corruption caused by entity reference cycles
5
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202208-0404",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "ontap select deploy administration utility",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "network security",
"scope": "lt",
"trust": 1.0,
"vendor": "stormshield",
"version": "3.7.34"
},
{
"model": "network security",
"scope": "lt",
"trust": 1.0,
"vendor": "stormshield",
"version": "4.3.16"
},
{
"model": "ipados",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "15.7.1"
},
{
"model": "h300s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "watchos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "9.1"
},
{
"model": "h500s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "h700s",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "iphone os",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "16.1"
},
{
"model": "network security",
"scope": "gte",
"trust": 1.0,
"vendor": "stormshield",
"version": "3.7.31"
},
{
"model": "management services for element software",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "storagegrid",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "macos",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "11.0"
},
{
"model": "macos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "12.6.1"
},
{
"model": "network security",
"scope": "lt",
"trust": 1.0,
"vendor": "stormshield",
"version": "4.6.3"
},
{
"model": "zlib",
"scope": "lte",
"trust": 1.0,
"vendor": "zlib",
"version": "1.2.12"
},
{
"model": "oncommand workflow automation",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "iphone os",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "15.7.1"
},
{
"model": "network security",
"scope": "gte",
"trust": 1.0,
"vendor": "stormshield",
"version": "4.3.0"
},
{
"model": "network security",
"scope": "lt",
"trust": 1.0,
"vendor": "stormshield",
"version": "3.11.22"
},
{
"model": "hci compute node",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "macos",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "12.0.0"
},
{
"model": "active iq unified manager",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "network security",
"scope": "gte",
"trust": 1.0,
"vendor": "stormshield",
"version": "3.11.0"
},
{
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "10.0"
},
{
"model": "hci",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "macos",
"scope": "lt",
"trust": 1.0,
"vendor": "apple",
"version": "11.7.1"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "35"
},
{
"model": "iphone os",
"scope": "gte",
"trust": 1.0,
"vendor": "apple",
"version": "16.0"
},
{
"model": "network security",
"scope": "gte",
"trust": 1.0,
"vendor": "stormshield",
"version": "4.6.0"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "36"
},
{
"model": "fedora",
"scope": "eq",
"trust": 1.0,
"vendor": "fedoraproject",
"version": "37"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-37434"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "170206"
},
{
"db": "PACKETSTORM",
"id": "169920"
},
{
"db": "PACKETSTORM",
"id": "169783"
},
{
"db": "PACKETSTORM",
"id": "169726"
},
{
"db": "PACKETSTORM",
"id": "169804"
},
{
"db": "PACKETSTORM",
"id": "170027"
},
{
"db": "PACKETSTORM",
"id": "170083"
},
{
"db": "PACKETSTORM",
"id": "170165"
}
],
"trust": 0.8
},
"cve": "CVE-2022-37434",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2022-37434",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-37434",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "CNNVD",
"id": "CNNVD-202208-2276",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2276"
},
{
"db": "NVD",
"id": "CVE-2022-37434"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference). \n\nThis release includes security and bug fixes, and enhancements. Bugs fixed (https://bugzilla.redhat.com/):\n\n2030787 - CVE-2021-43565 golang.org/x/crypto: empty plaintext packet causes panic\n2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server\n2142799 - Release of OpenShift Serverless Serving 1.26.0\n2142801 - Release of OpenShift Serverless Eventing 1.26.0\n\n5. \nLOG-3252 - [release-5.4]Adding Valid Subscription Annotation\n\n6. ==========================================================================\nUbuntu Security Notice USN-6736-2\nMay 23, 2024\n\nklibc vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 24.04 LTS\n\nSummary:\n\nSeveral security issues were fixed in klibc. \n\nSoftware Description:\n- klibc: small utilities built with klibc for early boot\n\nDetails:\n\nUSN-6736-1 fixed vulnerabilities in klibc. This update provides the\ncorresponding updates for Ubuntu 24.04 LTS. \n\nOriginal advisory details:\n\n It was discovered that zlib, vendored in klibc, incorrectly handled \npointer\n arithmetic. An attacker could use this issue to cause klibc to crash or to\n possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841)\n\n Danilo Ramos discovered that zlib, vendored in klibc, incorrectly handled\n memory when performing certain deflating operations. An attacker could use\n this issue to cause klibc to crash or to possibly execute arbitrary code. \n (CVE-2018-25032)\n\n Evgeny Legerov discovered that zlib, vendored in klibc, incorrectly \nhandled\n memory when performing certain inflate operations. An attacker could use\n this issue to cause klibc to crash or to possibly execute arbitrary code. \n (CVE-2022-37434)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 24.04 LTS\n klibc-utils 2.0.13-4ubuntu0.1\n libklibc 2.0.13-4ubuntu0.1\n\nIn general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: rsync security and enhancement update\nAdvisory ID: RHSA-2022:7793-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2022:7793\nIssue date: 2022-11-08\nCVE Names: CVE-2022-37434\n====================================================================\n1. Summary:\n\nAn update for rsync is now available for Red Hat Enterprise Linux 8. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64\n\n3. Description:\n\nThe rsync utility enables the users to copy and synchronize files locally\nor across a network. Synchronization with rsync is fast because rsync only\nsends the differences in files over the network instead of sending whole\nfiles. The rsync utility is also used as a mirroring tool. \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 8.7 Release Notes linked from the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n2043753 - [RFE] Improve defaults for sparse file buffering. Package List:\n\nRed Hat Enterprise Linux BaseOS (v. 8):\n\nSource:\nrsync-3.1.3-19.el8.src.rpm\n\naarch64:\nrsync-3.1.3-19.el8.aarch64.rpm\nrsync-debuginfo-3.1.3-19.el8.aarch64.rpm\nrsync-debugsource-3.1.3-19.el8.aarch64.rpm\n\nnoarch:\nrsync-daemon-3.1.3-19.el8.noarch.rpm\n\nppc64le:\nrsync-3.1.3-19.el8.ppc64le.rpm\nrsync-debuginfo-3.1.3-19.el8.ppc64le.rpm\nrsync-debugsource-3.1.3-19.el8.ppc64le.rpm\n\ns390x:\nrsync-3.1.3-19.el8.s390x.rpm\nrsync-debuginfo-3.1.3-19.el8.s390x.rpm\nrsync-debugsource-3.1.3-19.el8.s390x.rpm\n\nx86_64:\nrsync-3.1.3-19.el8.x86_64.rpm\nrsync-debuginfo-3.1.3-19.el8.x86_64.rpm\nrsync-debugsource-3.1.3-19.el8.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2022-37434\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2022 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBY2pSJ9zjgjWX9erEAQhctA/+LG9CKJG+ronMeYqaYry5AZbiLDWwxSoI\nN2WXEREzS8K0QNNPXpDVUGvaPcH45veL2eSxboIyarv9HzYrgB9QmEMB6TlLQdah\nT0bign9+51kyZXzP+QNxO09pv5ps0AUTZADy67pw2YCz3/NFVLKxAY35BoyBS7po\neqvWSQXYrNjFzDrDfPL8hpPBQN+l6fZ4d3loF9aq06DNC/LYIDJ68JJLTkiwehjV\nad/MqywMu26entrvK/CO1veaQkWi64WeKQSC8lCf97HONvgQKk75xJ20Z6p/RNou\n82WQd2pKa9m6NwZPgIA6H+/S2yNGZnDLHitWzT5V7OfPpoOrh1sQnReuhT0F8bXh\nvsoGCyj+aVO/J4o/CdxWIcGxjd6SPx5wnmQPUdRNgbL/tBIxUIHjLj2CDrHgIH8S\nYikOcfquQ6os9OPdVS6P2KIIZJngmwCrxoJgk6fIgSSh+KcVhvjtLsqV6juGpuPw\nJp0PK86R11LwjvCIHHUZbvTTIa4zpsQw+PQyIIv0N3qxnji5iog90zAm4MmTvjnA\nOJJu8CX1ayVzSc4Vh5wzDVaJG5wneHvVKmEa39OF+RGOB8vx5Dvn3dLFZNdK5Uko\nqINCliFhY2+nAj0wkUyhi8a2Ycsllerh4U5suqigGtzQXU6+hF9le2qymERCmkaT\nVzceG5KCVt4=u5mb\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. Solution:\n\nBefore applying this update, ensure all previously released errata relevant\nto your system have been applied. \n\nFollow the instructions linked in the References section to create service\nbinding connections between applications and services using the Developer\nperspective in the OpenShift Container Platform web console. Bugs fixed (https://bugzilla.redhat.com/):\n\n2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags\n\n5. JIRA issues fixed (https://issues.jboss.org/):\n\nAPPSVC-1220 - Fix CVE-2022-32149\n\n6. Description:\n\nOpenShift API for Data Protection (OADP) enables you to back up and restore\napplication resources, persistent volume data, and internal container\nimages to external backup storage. OADP enables both file system-based and\nsnapshot-based backups for persistent volumes. Bugs fixed (https://bugzilla.redhat.com/):\n\n2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server\n2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob\n2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode\n2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances\n2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY\n\n5. JIRA issues fixed (https://issues.jboss.org/):\n\nOADP-1002 - DataMover: Backup partially fails for a namespace without PVC\nOADP-1016 - DataMover: Restore randomly fails with \"secrets vsr-lttsv-secret already exists\" error\nOADP-1020 - DataMover: restore partiallyFailed with \"Plugin Panicked\" error\nOADP-1027 - DataMover: VSB fails with error \"cannot obtain source volumesnapshot\"\nOADP-608 - Data mover restic secret does not support GCP\nOADP-609 - Data mover VSR validation for default volumesnapshotclass and storageclass\nOADP-611 - Data mover VSR resources are sometimes created multiple times with multiple PVCs\nOADP-612 - Data mover Backup \u0026 Restore needs to fail if a validation check fails\nOADP-642 - OADP CRD descriptions should use the same capitalization as yaml fields\nOADP-645 - Data mover performance on restore blocks restore process\nOADP-662 - VSB/VSR needs to fail if backup/restore partially fails or fails\nOADP-724 - Setting an excludedNamespace and includedNamespace in the same backup crashes velero\nOADP-725 - DC Restic Post Restore Script handle restore name longer than 63 characters\nOADP-731 - Backup partiallyFails with data mover if a stale snapshot is encountered\nOADP-741 - Data Mover VSB/VSR CRs do not include status on error\nOADP-774 - OADP must-gather is getting stuck\nOADP-794 - Second restore of CSI volume fails due to dataSource doesn\u0027t match dataSourceRef\nOADP-825 - CSI Volumesnapshot Deletion fails with nil pointer execption bug\nOADP-849 - DataMover: restore PartiallyFails randomly with \"ReplicationDestination.volsync.backube xxxx not found\" error\nOADP-927 - DataMover backup fails with nil pointer issue\n\n6. Description:\n\nOpenShift Virtualization is Red Hat\u0027s virtualization solution designed for\nRed Hat OpenShift Container Platform. \n\nBug Fix(es):\n\n* Cloning a Block DV to VM with Filesystem with not big enough size comes\nto endless loop - using pvc api (BZ#2033191)\n\n* Restart of VM Pod causes SSH keys to be regenerated within VM\n(BZ#2087177)\n\n* Import gzipped raw file causes image to be downloaded and uncompressed to\nTMPDIR (BZ#2089391)\n\n* [4.11] VM Snapshot Restore hangs indefinitely when backed by a\nsnapshotclass (BZ#2098225)\n\n* Fedora version in DataImportCrons is not \u0027latest\u0027 (BZ#2102694)\n\n* [4.11] Cloned VM\u0027s snapshot restore fails if the source VM disk is\ndeleted (BZ#2109407)\n\n* CNV introduces a compliance check fail in \"ocp4-moderate\" profile -\nroutes-protected-by-tls (BZ#2110562)\n\n* Nightly build: v4.11.0-578: index format was changed in 4.11 to\nfile-based instead of sqlite-based (BZ#2112643)\n\n* Unable to start windows VMs on PSI setups (BZ#2115371)\n\n* [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity\nrestricted:v1.24 (BZ#2128997)\n\n* Mark Windows 11 as TechPreview (BZ#2129013)\n\n* 4.11.1 rpms (BZ#2139453)\n\nThis advisory contains the following OpenShift Virtualization 4.11.1\nimages. \n\nRHEL-8-CNV-4.11\n\nvirt-cdi-operator-container-v4.11.1-5\nvirt-cdi-uploadserver-container-v4.11.1-5\nvirt-cdi-apiserver-container-v4.11.1-5\nvirt-cdi-importer-container-v4.11.1-5\nvirt-cdi-controller-container-v4.11.1-5\nvirt-cdi-cloner-container-v4.11.1-5\nvirt-cdi-uploadproxy-container-v4.11.1-5\ncheckup-framework-container-v4.11.1-3\nkubevirt-tekton-tasks-wait-for-vmi-status-container-v4.11.1-7\nkubevirt-tekton-tasks-create-datavolume-container-v4.11.1-7\nkubevirt-template-validator-container-v4.11.1-4\nvirt-handler-container-v4.11.1-5\nhostpath-provisioner-operator-container-v4.11.1-4\nvirt-api-container-v4.11.1-5\nvm-network-latency-checkup-container-v4.11.1-3\ncluster-network-addons-operator-container-v4.11.1-5\nvirtio-win-container-v4.11.1-4\nvirt-launcher-container-v4.11.1-5\novs-cni-marker-container-v4.11.1-5\nhyperconverged-cluster-webhook-container-v4.11.1-7\nvirt-controller-container-v4.11.1-5\nvirt-artifacts-server-container-v4.11.1-5\nkubevirt-tekton-tasks-modify-vm-template-container-v4.11.1-7\nkubevirt-tekton-tasks-disk-virt-customize-container-v4.11.1-7\nlibguestfs-tools-container-v4.11.1-5\nhostpath-provisioner-container-v4.11.1-4\nkubevirt-tekton-tasks-disk-virt-sysprep-container-v4.11.1-7\nkubevirt-tekton-tasks-copy-template-container-v4.11.1-7\ncnv-containernetworking-plugins-container-v4.11.1-5\nbridge-marker-container-v4.11.1-5\nvirt-operator-container-v4.11.1-5\nhostpath-csi-driver-container-v4.11.1-4\nkubevirt-tekton-tasks-create-vm-from-template-container-v4.11.1-7\nkubemacpool-container-v4.11.1-5\nhyperconverged-cluster-operator-container-v4.11.1-7\nkubevirt-ssp-operator-container-v4.11.1-4\novs-cni-plugin-container-v4.11.1-5\nkubevirt-tekton-tasks-cleanup-vm-container-v4.11.1-7\nkubevirt-tekton-tasks-operator-container-v4.11.1-2\ncnv-must-gather-container-v4.11.1-8\nkubevirt-console-plugin-container-v4.11.1-9\nhco-bundle-registry-container-v4.11.1-49\n\n3. Bugs fixed (https://bugzilla.redhat.com/):\n\n2033191 - Cloning a Block DV to VM with Filesystem with not big enough size comes to endless loop - using pvc api\n2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression\n2070772 - When specifying pciAddress for several SR-IOV NIC they are not correctly propagated to libvirt XML\n2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode\n2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar\n2087177 - Restart of VM Pod causes SSH keys to be regenerated within VM\n2089391 - Import gzipped raw file causes image to be downloaded and uncompressed to TMPDIR\n2091856 - ?Edit BootSource? action should have more explicit information when disabled\n2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add\n2098225 - [4.11] VM Snapshot Restore hangs indefinitely when backed by a snapshotclass\n2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS\n2102694 - Fedora version in DataImportCrons is not \u0027latest\u0027\n2109407 - [4.11] Cloned VM\u0027s snapshot restore fails if the source VM disk is deleted\n2110562 - CNV introduces a compliance check fail in \"ocp4-moderate\" profile - routes-protected-by-tls\n2112643 - Nightly build: v4.11.0-578: index format was changed in 4.11 to file-based instead of sqlite-based\n2115371 - Unable to start windows VMs on PSI setups\n2119613 - GiB changes to B in Template\u0027s Edit boot source reference modal\n2128554 - The storageclass of VM disk is different from quick created and customize created after changed the default storageclass\n2128872 - [4.11]Can\u0027t restore cloned VM\n2128997 - [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24\n2129013 - Mark Windows 11 as TechPreview\n2129235 - [RFE] Add \"Copy SSH command\" to VM action list\n2134668 - Cannot edit ssh even vm is stopped\n2139453 - 4.11.1 rpms\n\n5. This software, such as Apache HTTP Server, is\ncommon to multiple JBoss middleware products, and is packaged under Red Hat\nJBoss Core Services to allow for faster distribution of updates, and for a\nmore consistent update experience. Bugs fixed (https://bugzilla.redhat.com/):\n\n2064319 - CVE-2022-23943 httpd: mod_sed: Read/write beyond bounds\n2064320 - CVE-2022-22721 httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody\n2081494 - CVE-2022-1292 openssl: c_rehash script allows command injection\n2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request smuggling\n2095000 - CVE-2022-28330 httpd: mod_isapi: out-of-bounds read\n2095002 - CVE-2022-28614 httpd: Out-of-bounds read via ap_rwrite()\n2095006 - CVE-2022-28615 httpd: Out-of-bounds read in ap_strcmp_match()\n2095015 - CVE-2022-30522 httpd: mod_sed: DoS vulnerability\n2095020 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism\n2097310 - CVE-2022-2068 openssl: the c_rehash script allows command injection\n2099300 - CVE-2022-32206 curl: HTTP compression denial of service\n2099305 - CVE-2022-32207 curl: Unpreserved file permissions\n2099306 - CVE-2022-32208 curl: FTP-KRB bad message verification\n2116639 - CVE-2022-37434 zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field\n2120718 - CVE-2022-35252 curl: control code in cookie denial of service\n2130769 - CVE-2022-40674 expat: a use-after-free in the doContent function in xmlparse.c\n2135411 - CVE-2022-32221 curl: POST following PUT confusion\n2135413 - CVE-2022-42915 curl: HTTP proxy double-free\n2135416 - CVE-2022-42916 curl: HSTS bypass via IDN\n2136266 - CVE-2022-40303 libxml2: integer overflows with XML_PARSE_HUGE\n2136288 - CVE-2022-40304 libxml2: dict corruption caused by entity reference cycles\n\n5",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-37434"
},
{
"db": "VULHUB",
"id": "VHN-428208"
},
{
"db": "PACKETSTORM",
"id": "170206"
},
{
"db": "PACKETSTORM",
"id": "169920"
},
{
"db": "PACKETSTORM",
"id": "178769"
},
{
"db": "PACKETSTORM",
"id": "169783"
},
{
"db": "PACKETSTORM",
"id": "169726"
},
{
"db": "PACKETSTORM",
"id": "169804"
},
{
"db": "PACKETSTORM",
"id": "170027"
},
{
"db": "PACKETSTORM",
"id": "170083"
},
{
"db": "PACKETSTORM",
"id": "170165"
}
],
"trust": 1.8
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-428208",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-428208"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-37434",
"trust": 2.6
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/08/05/2",
"trust": 1.7
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2022/08/09/1",
"trust": 1.7
},
{
"db": "PACKETSTORM",
"id": "170027",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "169726",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "169783",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "169707",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "169503",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "169624",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "168107",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "169906",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "168113",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "168765",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "169595",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2022.4108",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.6290",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.6178",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.4082",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.6434",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.5461",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.4243",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.5782",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.5304.2",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.0089",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.5544",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.3839",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.5593",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.4523",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.3143",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.6333",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.5137",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.4301",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.4139",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.1423",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.4133",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2276",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "171271",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "169566",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "169557",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "169577",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-428208",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170206",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "169920",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "178769",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "169804",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170083",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "170165",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-428208"
},
{
"db": "PACKETSTORM",
"id": "170206"
},
{
"db": "PACKETSTORM",
"id": "169920"
},
{
"db": "PACKETSTORM",
"id": "178769"
},
{
"db": "PACKETSTORM",
"id": "169783"
},
{
"db": "PACKETSTORM",
"id": "169726"
},
{
"db": "PACKETSTORM",
"id": "169804"
},
{
"db": "PACKETSTORM",
"id": "170027"
},
{
"db": "PACKETSTORM",
"id": "170083"
},
{
"db": "PACKETSTORM",
"id": "170165"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2276"
},
{
"db": "NVD",
"id": "CVE-2022-37434"
}
]
},
"id": "VAR-202208-0404",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-428208"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-29T22:06:35.987000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "zlib Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=203980"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2276"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-787",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-428208"
},
{
"db": "NVD",
"id": "CVE-2022-37434"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2022/oct/37"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2022/oct/38"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2022/oct/41"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2022/oct/42"
},
{
"trust": 1.7,
"url": "https://www.debian.org/security/2022/dsa-5218"
},
{
"trust": 1.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/pavpqncg3xrlclnsqrm3kan5zfmvxvty/"
},
{
"trust": 1.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/nmboj77a7t7pqcarmduk75te6llesz3o/"
},
{
"trust": 1.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/yrqai7h4m4rqz2iwzueexecbe5d56bh2/"
},
{
"trust": 1.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/x5u7otkzshy2i3zfjsr2shfhw72rkgdk/"
},
{
"trust": 1.7,
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/jwn4ve3jqr4o2sous5txnlanrpmhwv4i/"
},
{
"trust": 1.7,
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html"
},
{
"trust": 1.7,
"url": "http://www.openwall.com/lists/oss-security/2022/08/05/2"
},
{
"trust": 1.7,
"url": "http://www.openwall.com/lists/oss-security/2022/08/09/1"
},
{
"trust": 1.7,
"url": "https://github.com/curl/curl/issues/9271"
},
{
"trust": 1.7,
"url": "https://github.com/ivd38/zlib_overflow"
},
{
"trust": 1.7,
"url": "https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#l1062-l1063"
},
{
"trust": 1.7,
"url": "https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1"
},
{
"trust": 1.7,
"url": "https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#l762-l764"
},
{
"trust": 1.7,
"url": "https://security.netapp.com/advisory/ntap-20220901-0005/"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht213488"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht213489"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht213490"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht213491"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht213493"
},
{
"trust": 1.7,
"url": "https://support.apple.com/kb/ht213494"
},
{
"trust": 1.6,
"url": "https://security.netapp.com/advisory/ntap-20230427-0007/"
},
{
"trust": 1.4,
"url": "https://access.redhat.com/security/cve/cve-2022-37434"
},
{
"trust": 0.8,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.8,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2022-2509"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-35527"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2022-3515"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-35525"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2020-35525"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2020-35527"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.6,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/yrqai7h4m4rqz2iwzueexecbe5d56bh2/"
},
{
"trust": 0.6,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/x5u7otkzshy2i3zfjsr2shfhw72rkgdk/"
},
{
"trust": 0.6,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/nmboj77a7t7pqcarmduk75te6llesz3o/"
},
{
"trust": 0.6,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/jwn4ve3jqr4o2sous5txnlanrpmhwv4i/"
},
{
"trust": 0.6,
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/pavpqncg3xrlclnsqrm3kan5zfmvxvty/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.4108"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/zlib-buffer-overflow-via-inflategetheader-39003"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/168113/ubuntu-security-notice-usn-5573-1.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.3143"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/169707/red-hat-security-advisory-2022-7314-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.1423"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-37434/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/170027/red-hat-security-advisory-2022-8634-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.6290"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.3839"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.5461"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.6178"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/169783/red-hat-security-advisory-2022-7793-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.5782"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.6434"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.4133"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.5544"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.6333"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.4139"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/169624/gentoo-linux-security-advisory-202210-42.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.4082"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.5304.2"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/169503/red-hat-security-advisory-2022-7106-01.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/169726/red-hat-security-advisory-2022-7407-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.0089"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/168765/ubuntu-security-notice-usn-5570-2.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/169906/red-hat-security-advisory-2022-8291-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.5593"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/168107/ubuntu-security-notice-usn-5570-1.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.4243"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.4301"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.5137"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.4523"
},
{
"trust": 0.6,
"url": "https://support.apple.com/en-us/ht213490"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/169595/apple-security-advisory-2022-10-27-12.html"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2022-40674"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2509"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-37434"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2016-3709"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-30293"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-1304"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-26700"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-26719"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-22624"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-26709"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1304"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-26717"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-22629"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-22662"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-3709"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-26710"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-22628"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-26716"
},
{
"trust": 0.3,
"url": "https://issues.jboss.org/):"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2022-32149"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-21626"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-21619"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-27404"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22624"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-21628"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-21618"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-21618"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-21628"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-39399"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-21624"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22629"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22628"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-27405"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22662"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-27406"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-21626"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-21624"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-21619"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-27191"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-3515"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-34903"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-2068"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-32208"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1292"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-32206"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2022-1292"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.11/html/serverless/index"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#low"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:8938"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-43565"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-43565"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-26716"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.10/logging/cluster-logging-release-notes.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-42004"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.10/logging/cluster-logging-upgrading.html"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:7435"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-36518"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-42003"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-36518"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-26710"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-26709"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-26700"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-25032"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-6736-2"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-9840"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/klibc/2.0.13-4ubuntu0.1"
},
{
"trust": 0.1,
"url": "https://ubuntu.com/security/notices/usn-6736-1"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:7793"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.7_release_notes/index"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/11258."
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-32149"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:7407"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/latest/applications/connecting_applications_to_services/odc-connecting-an-application-to-a-service-using-the-developer-perspective.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2588"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-release-notes.html"
},
{
"trust": 0.1,
"url": "https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-0494"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-0494"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-23816"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:6882"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23825"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-1353"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1353"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23816"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-29900"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-23825"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-29900"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-29901"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2588"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-27191"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-30632"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-34903"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-27664"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-30635"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-30632"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-32190"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-32190"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:8634"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-27664"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-30635"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-40674"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-0308"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-1927"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-1586"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-29154"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-38177"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-0308"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-1897"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-28327"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-30629"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-25309"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-30698"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1785"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-30699"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-24921"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-0256"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-1785"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-20107"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-38561"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-2097"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-0256"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-25310"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2015-20107"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-0391"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1586"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-24675"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-24795"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-1897"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:8750"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-38178"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-25308"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-38561"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-0934"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-0391"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-0934"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-28614"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-23943"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-32207"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-22721"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-26377"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2022:8841"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-30522"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-40303"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-31813"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-32207"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-42915"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-28615"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-42916"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-32206"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-22721"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-35252"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-31813"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-32208"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-28614"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-28330"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-28615"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-2068"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-28330"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-26377"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-40304"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-32221"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-23943"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-30522"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2022-32221"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-428208"
},
{
"db": "PACKETSTORM",
"id": "170206"
},
{
"db": "PACKETSTORM",
"id": "169920"
},
{
"db": "PACKETSTORM",
"id": "178769"
},
{
"db": "PACKETSTORM",
"id": "169783"
},
{
"db": "PACKETSTORM",
"id": "169726"
},
{
"db": "PACKETSTORM",
"id": "169804"
},
{
"db": "PACKETSTORM",
"id": "170027"
},
{
"db": "PACKETSTORM",
"id": "170083"
},
{
"db": "PACKETSTORM",
"id": "170165"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2276"
},
{
"db": "NVD",
"id": "CVE-2022-37434"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-428208"
},
{
"db": "PACKETSTORM",
"id": "170206"
},
{
"db": "PACKETSTORM",
"id": "169920"
},
{
"db": "PACKETSTORM",
"id": "178769"
},
{
"db": "PACKETSTORM",
"id": "169783"
},
{
"db": "PACKETSTORM",
"id": "169726"
},
{
"db": "PACKETSTORM",
"id": "169804"
},
{
"db": "PACKETSTORM",
"id": "170027"
},
{
"db": "PACKETSTORM",
"id": "170083"
},
{
"db": "PACKETSTORM",
"id": "170165"
},
{
"db": "CNNVD",
"id": "CNNVD-202208-2276"
},
{
"db": "NVD",
"id": "CVE-2022-37434"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-08-05T00:00:00",
"db": "VULHUB",
"id": "VHN-428208"
},
{
"date": "2022-12-13T17:13:48",
"db": "PACKETSTORM",
"id": "170206"
},
{
"date": "2022-11-17T13:23:05",
"db": "PACKETSTORM",
"id": "169920"
},
{
"date": "2024-05-23T14:19:29",
"db": "PACKETSTORM",
"id": "178769"
},
{
"date": "2022-11-08T13:51:03",
"db": "PACKETSTORM",
"id": "169783"
},
{
"date": "2022-11-04T13:43:28",
"db": "PACKETSTORM",
"id": "169726"
},
{
"date": "2022-11-09T19:52:14",
"db": "PACKETSTORM",
"id": "169804"
},
{
"date": "2022-11-28T15:42:01",
"db": "PACKETSTORM",
"id": "170027"
},
{
"date": "2022-12-02T15:57:08",
"db": "PACKETSTORM",
"id": "170083"
},
{
"date": "2022-12-08T21:28:21",
"db": "PACKETSTORM",
"id": "170165"
},
{
"date": "2022-08-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202208-2276"
},
{
"date": "2022-08-05T07:15:07.240000",
"db": "NVD",
"id": "CVE-2022-37434"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-01-09T00:00:00",
"db": "VULHUB",
"id": "VHN-428208"
},
{
"date": "2023-07-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202208-2276"
},
{
"date": "2023-07-19T00:56:46.373000",
"db": "NVD",
"id": "CVE-2022-37434"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2276"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "zlib Buffer error vulnerability",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2276"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202208-2276"
}
],
"trust": 0.6
}
}