Vulnerabilites related to redhat - single_sign-on
CVE-2022-4039 (GCVE-0-2022-4039)
Vulnerability from cvelistv5
Published
2023-09-22 14:00
Modified
2024-09-24 14:29
Severity ?
8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-276 - Incorrect Default Permissions
Summary
A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in the app server configuration.
References
https://access.redhat.com/errata/RHSA-2023:1047vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2022-4039vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2143416issue-tracking, x_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-20   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:27:54.372Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2023:1047",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:1047"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2022-4039"
          },
          {
            "name": "RHBZ#2143416",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143416"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-4039",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-24T14:18:24.812330Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-24T14:29:55.579Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-20",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7"
          ],
          "defaultStatus": "affected",
          "packageName": "rhsso-container-image",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was discovered by Thibault Guittet (Red Hat)."
        }
      ],
      "datePublic": "2023-02-28T21:26:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in the app server configuration."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-276",
              "description": "Incorrect Default Permissions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-03T15:32:26.579Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:1047",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:1047"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2022-4039"
        },
        {
          "name": "RHBZ#2143416",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143416"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2022-11-15T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-02-28T21:26:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Rhsso-container-image: unsecured management interface exposed to adjecent network",
      "x_redhatCweChain": "CWE-276: Incorrect Default Permissions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-4039",
    "datePublished": "2023-09-22T14:00:39.803Z",
    "dateReserved": "2022-11-16T21:32:53.153Z",
    "dateUpdated": "2024-09-24T14:29:55.579Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-10912 (GCVE-0-2018-10912)
Vulnerability from cvelistv5
Published
2018-07-23 22:00
Modified
2024-08-05 07:54
Severity ?
4.4 (Medium) - CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
CWE
Summary
keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server.
References
https://access.redhat.com/errata/RHSA-2018:2428vendor-advisory, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10912x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2019:0877vendor-advisory, x_refsource_REDHAT
Impacted products
Vendor Product Version
[UNKNOWN] keycloak Version: Keycloak 4.0.0.Final
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T07:54:36.292Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2018:2428",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2428"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10912"
          },
          {
            "name": "RHSA-2019:0877",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0877"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "[UNKNOWN]",
          "versions": [
            {
              "status": "affected",
              "version": "Keycloak 4.0.0.Final"
            }
          ]
        }
      ],
      "datePublic": "2018-07-23T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-835",
              "description": "CWE-835",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-04-24T21:06:04",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2018:2428",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2428"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10912"
        },
        {
          "name": "RHSA-2019:0877",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0877"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2018-10912",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Keycloak 4.0.0.Final"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "[UNKNOWN]"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "4.4/CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-835"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2018:2428",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2428"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10912",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10912"
            },
            {
              "name": "RHSA-2019:0877",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0877"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2018-10912",
    "datePublished": "2018-07-23T22:00:00",
    "dateReserved": "2018-05-09T00:00:00",
    "dateUpdated": "2024-08-05T07:54:36.292Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-3461 (GCVE-0-2021-3461)
Vulnerability from cvelistv5
Published
2022-04-01 22:17
Modified
2024-08-03 16:53
Severity ?
CWE
Summary
A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name].
References
https://bugzilla.redhat.com/show_bug.cgi?id=1941565x_refsource_MISC
Impacted products
Vendor Product Version
n/a keycloak Version: rh-sso7-keycloak 9.0.13
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T16:53:17.756Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1941565"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "rh-sso7-keycloak 9.0.13"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name]."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-01T22:17:45",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1941565"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2021-3461",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "rh-sso7-keycloak 9.0.13"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name]."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-613"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1941565",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1941565"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-3461",
    "datePublished": "2022-04-01T22:17:45",
    "dateReserved": "2021-03-23T00:00:00",
    "dateUpdated": "2024-08-03T16:53:17.756Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-4629 (GCVE-0-2024-4629)
Vulnerability from cvelistv5
Published
2024-09-03 19:42
Modified
2025-01-28 09:33
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE
  • CWE-837 - Improper Enforcement of a Single, Unique Action
Summary
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
References
https://access.redhat.com/errata/RHSA-2024:6493vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6494vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6495vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6497vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6499vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6500vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6501vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-4629vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2276761issue-tracking, x_refsource_REDHAT
Impacted products
Vendor Product Version
Version: 24.0.3
 Create a notification for this product.
   Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:22
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22 Unaffected: 22.0.12-1   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22 Unaffected: 22-17   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22 Unaffected: 22-20   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7.6
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.16-1.redhat_00001.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.16-1.redhat_00001.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.16-1.redhat_00001.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-52   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-4629",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-03T20:20:28.329028Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-03T20:20:42.938Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-11-14T16:59:26.284Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-system/"
          },
          {
            "url": "https://github.com/hnsecurity/vulns/blob/main/HNS-2024-09-Keycloak.md"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/keycloak/keycloak",
          "packageName": "keycloak",
          "versions": [
            {
              "status": "affected",
              "version": "24.0.3"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.keycloak-keycloak-parent",
          "product": "Red Hat Build of Keycloak",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22.0.12-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22-17",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22-20",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.keycloak-keycloak-parent",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.16-1.redhat_00001.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.16-1.redhat_00001.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.16-1.redhat_00001.1.el9sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-52",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8"
          ],
          "defaultStatus": "affected",
          "packageName": "org.keycloak-keycloak-parent",
          "product": "Red Hat JBoss Enterprise Application Platform 8",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2024-09-03T19:38:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Low"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-837",
              "description": "Improper Enforcement of a Single, Unique Action",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-28T09:33:25.316Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2024:6493",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6493"
        },
        {
          "name": "RHSA-2024:6494",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6494"
        },
        {
          "name": "RHSA-2024:6495",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6495"
        },
        {
          "name": "RHSA-2024:6497",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6497"
        },
        {
          "name": "RHSA-2024:6499",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6499"
        },
        {
          "name": "RHSA-2024:6500",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6500"
        },
        {
          "name": "RHSA-2024:6501",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6501"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-4629"
        },
        {
          "name": "RHBZ#2276761",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2276761"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-04-23T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-09-03T19:38:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: potential bypass of brute force protection",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_redhatCweChain": "CWE-837: Improper Enforcement of a Single, Unique Action"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-4629",
    "datePublished": "2024-09-03T19:42:01.318Z",
    "dateReserved": "2024-05-07T20:47:03.184Z",
    "dateUpdated": "2025-01-28T09:33:25.316Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-10894 (GCVE-0-2018-10894)
Vulnerability from cvelistv5
Published
2018-08-01 17:00
Modified
2024-08-05 07:54
Severity ?
5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE
Summary
It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks.
References
https://access.redhat.com/errata/RHSA-2018:3592vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:3593vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:3595vendor-advisory, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10894x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2019:0877vendor-advisory, x_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat keycloak Version: 3.4.3.Final
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T07:54:34.911Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2018:3592",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:3592"
          },
          {
            "name": "RHSA-2018:3593",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:3593"
          },
          {
            "name": "RHSA-2018:3595",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:3595"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10894"
          },
          {
            "name": "RHSA-2019:0877",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0877"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "3.4.3.Final"
            }
          ]
        }
      ],
      "datePublic": "2018-07-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-04-24T21:06:04",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2018:3592",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:3592"
        },
        {
          "name": "RHSA-2018:3593",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:3593"
        },
        {
          "name": "RHSA-2018:3595",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:3595"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10894"
        },
        {
          "name": "RHSA-2019:0877",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0877"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2018-10894",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "3.4.3.Final"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Red Hat"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "5.4/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-345"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2018:3592",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:3592"
            },
            {
              "name": "RHSA-2018:3593",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:3593"
            },
            {
              "name": "RHSA-2018:3595",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:3595"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10894",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10894"
            },
            {
              "name": "RHSA-2019:0877",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0877"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2018-10894",
    "datePublished": "2018-08-01T17:00:00",
    "dateReserved": "2018-05-09T00:00:00",
    "dateUpdated": "2024-08-05T07:54:34.911Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-10758 (GCVE-0-2020-10758)
Vulnerability from cvelistv5
Published
2020-09-16 15:05
Modified
2024-08-04 11:14
Severity ?
CWE
  • Denial of service
Summary
A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1843849x_refsource_MISC
https://github.com/keycloak/keycloak/commit/bee4ca89897766c4b68856eafe14f1a3dad34251x_refsource_MISC
Impacted products
Vendor Product Version
n/a Keycloak Version: Keycloak before 11.0.1
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:14:15.436Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843849"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/keycloak/keycloak/commit/bee4ca89897766c4b68856eafe14f1a3dad34251"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Keycloak",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Keycloak before 11.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Denial of service",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-11T15:11:48",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843849"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/keycloak/keycloak/commit/bee4ca89897766c4b68856eafe14f1a3dad34251"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-10758",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Keycloak before 11.0.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Denial of service"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1843849",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843849"
            },
            {
              "name": "https://github.com/keycloak/keycloak/commit/bee4ca89897766c4b68856eafe14f1a3dad34251",
              "refsource": "MISC",
              "url": "https://github.com/keycloak/keycloak/commit/bee4ca89897766c4b68856eafe14f1a3dad34251"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-10758",
    "datePublished": "2020-09-16T15:05:58",
    "dateReserved": "2020-03-20T00:00:00",
    "dateUpdated": "2024-08-04T11:14:15.436Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-8883 (GCVE-0-2024-8883)
Vulnerability from cvelistv5
Published
2024-09-19 15:48
Modified
2025-05-02 17:07
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE
  • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Summary
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
References
https://access.redhat.com/errata/RHSA-2024:10385vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:10386vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6878vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6879vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6880vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6882vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6886vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6887vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6888vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6889vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6890vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:8823vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:8824vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:8826vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-8883vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2312511issue-tracking, x_refsource_REDHAT
https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java
Impacted products
Vendor Product Version
Version: 0   
Version: 23.0.0   
Version: 25.0.0   
Create a notification for this product.
   Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:22
 Create a notification for this product.
   Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:24
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22 Unaffected: 22.0.13-1   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22 Unaffected: 22-18   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22 Unaffected: 22-21   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 24 Unaffected: 24.0.8-1   < *
    cpe:/a:redhat:build_keycloak:24::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 24 Unaffected: 24-17   < *
    cpe:/a:redhat:build_keycloak:24::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 24 Unaffected: 24-17   < *
    cpe:/a:redhat:build_keycloak:24::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8.0
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8.0
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:800.4.1-1.GA_redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:8.0.4-3.GA_redhat_00007.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:2.33.0-1.redhat_00015.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 1:2.0.0-2.redhat_00005.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:1.8.0-2.redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:2.2.0-2.redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:1.16.1-2.redhat_00007.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:3.2.2-28.redhat_2.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:2.15.1-1.redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:3.14.0-2.redhat_00006.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:4.0.5-1.redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 1:2.0.0-2.redhat_00005.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:2.0.1-1.redhat_00002.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:0.1.0-2.redhat_00010.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:1.12.284-2.redhat_00002.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:1.2.5-2.redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:800.4.0-1.GA_redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:2.1.0-4.redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:6.2.31-1.Final_redhat_00002.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:8.0.1-3.Final_redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:0.8.1-2.redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:1.1.3-1.redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:3.0.1-1.redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:1.1.3-1.redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:3.5.3-1.Final_redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:4.0.2-1.redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:5.3.10-1.Final_redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:2.22.1-1.redhat_00002.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:6.0.3-1.Final_redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:9.37.3-1.redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:9.6.0-1.redhat_00002.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:2.3.0-1.redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:2.0.1-3.Final_redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:3.0.1-2.Final_redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:3.0.4-1.redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:8.0.0-6.redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:2.0.16-1.redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:2.2.0-1.redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:8.0.4-2.GA_redhat_00005.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:800.4.1-1.GA_redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:8.0.4-3.GA_redhat_00007.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:2.33.0-1.redhat_00015.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 1:2.0.0-2.redhat_00005.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:1.8.0-2.redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:2.2.0-2.redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:1.16.1-2.redhat_00007.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:3.2.2-28.redhat_2.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:2.15.1-1.redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:3.14.0-2.redhat_00006.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:4.0.5-1.redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 1:2.0.0-2.redhat_00005.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:2.0.1-1.redhat_00002.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:0.1.0-2.redhat_00010.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:1.12.284-2.redhat_00002.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:1.2.5-2.redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:800.4.0-1.GA_redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:2.1.0-4.redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:6.2.31-1.Final_redhat_00002.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:8.0.1-3.Final_redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:0.8.1-2.redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:1.1.3-1.redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:3.0.1-1.redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:1.1.3-1.redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:3.5.3-1.Final_redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:4.0.2-1.redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:5.3.10-1.Final_redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:2.22.1-1.redhat_00002.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:6.0.3-1.Final_redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:9.37.3-1.redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:9.6.0-1.redhat_00002.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:2.3.0-1.redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:2.0.1-3.Final_redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:3.0.1-2.Final_redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:3.0.4-1.redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:8.0.0-6.redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:2.0.16-1.redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:2.2.0-1.redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:8.0.4-2.GA_redhat_00005.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7.6
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.18-1.redhat_00001.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.18-1.redhat_00001.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.18-1.redhat_00001.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-54   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-8883",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-19T17:28:37.383842Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-19T17:56:50.064Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/keycloak/keycloak",
          "defaultStatus": "unaffected",
          "packageName": "keycloak-services",
          "versions": [
            {
              "lessThan": "22.0.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "24.0.7",
              "status": "affected",
              "version": "23.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "25.0.5",
              "status": "affected",
              "version": "25.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.keycloak/keycloak-services",
          "product": "Red Hat Build of Keycloak",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:24"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.keycloak/keycloak-services",
          "product": "Red Hat Build of Keycloak",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22.0.13-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22-18",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22-21",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:24::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 24",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "24.0.8-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:24::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 24",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "24-17",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:24::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 24",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "24-17",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.keycloak/keycloak-services",
          "product": "Red Hat JBoss Enterprise Application Platform 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.keycloak/keycloak-services",
          "product": "Red Hat JBoss Enterprise Application Platform 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8",
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-eap-product-conf-parent",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:800.4.1-1.GA_redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8",
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-wildfly",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:8.0.4-3.GA_redhat_00007.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-activemq-artemis",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.33.0-1.redhat_00015.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-activemq-artemis-native",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1:2.0.0-2.redhat_00005.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-aesh-extensions",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.8.0-2.redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-aesh-readline",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.0-2.redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-apache-commons-codec",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.16.1-2.redhat_00007.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-apache-commons-collections",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.2.2-28.redhat_2.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-apache-commons-io",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.15.1-1.redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-apache-commons-lang",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.14.0-2.redhat_00006.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-apache-cxf",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.0.5-1.redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-artemis-native",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1:2.0.0-2.redhat_00005.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-artemis-wildfly-integration",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.0.1-1.redhat_00002.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-asyncutil",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:0.1.0-2.redhat_00010.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-aws-java-sdk",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.12.284-2.redhat_00002.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-cryptacular",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.2.5-2.redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-eap-product-conf-parent",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:800.4.0-1.GA_redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-fastinfoset",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.1.0-4.redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-hibernate",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:6.2.31-1.Final_redhat_00002.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-hibernate-validator",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:8.0.1-3.Final_redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-hppc",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:0.8.1-2.redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-insights-java-client",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.1.3-1.redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-jakarta-servlet-jsp-jstl-api",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.0.1-1.redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-jboss-cert-helper",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.1.3-1.redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-jboss-logging",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.5.3-1.Final_redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-jctools",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.0.2-1.redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-jgroups",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:5.3.10-1.Final_redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-log4j",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.22.1-1.redhat_00002.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-narayana",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:6.0.3-1.Final_redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-nimbus-jose-jwt",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:9.37.3-1.redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-objectweb-asm",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:9.6.0-1.redhat_00002.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-pem-keystore",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.3.0-1.redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-resteasy-extensions",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.0.1-3.Final_redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-resteasy-spring",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.0.1-2.Final_redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-saaj-impl",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.0.4-1.redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-shibboleth-java-support",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:8.0.0-6.redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-slf4j",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.0.16-1.redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-snakeyaml",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.0-1.redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-wildfly",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:8.0.4-2.GA_redhat_00005.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8",
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-eap-product-conf-parent",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:800.4.1-1.GA_redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8",
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-wildfly",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:8.0.4-3.GA_redhat_00007.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-activemq-artemis",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.33.0-1.redhat_00015.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-activemq-artemis-native",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1:2.0.0-2.redhat_00005.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-aesh-extensions",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.8.0-2.redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-aesh-readline",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.0-2.redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-apache-commons-codec",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.16.1-2.redhat_00007.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-apache-commons-collections",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.2.2-28.redhat_2.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-apache-commons-io",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.15.1-1.redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-apache-commons-lang",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.14.0-2.redhat_00006.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-apache-cxf",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.0.5-1.redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-artemis-native",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1:2.0.0-2.redhat_00005.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-artemis-wildfly-integration",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.0.1-1.redhat_00002.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-asyncutil",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:0.1.0-2.redhat_00010.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-aws-java-sdk",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.12.284-2.redhat_00002.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-cryptacular",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.2.5-2.redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-eap-product-conf-parent",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:800.4.0-1.GA_redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-fastinfoset",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.1.0-4.redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-hibernate",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:6.2.31-1.Final_redhat_00002.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-hibernate-validator",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:8.0.1-3.Final_redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-hppc",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:0.8.1-2.redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-insights-java-client",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.1.3-1.redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-jakarta-servlet-jsp-jstl-api",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.0.1-1.redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-jboss-cert-helper",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.1.3-1.redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-jboss-logging",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.5.3-1.Final_redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-jctools",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.0.2-1.redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-jgroups",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:5.3.10-1.Final_redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-log4j",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.22.1-1.redhat_00002.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-narayana",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:6.0.3-1.Final_redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-nimbus-jose-jwt",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:9.37.3-1.redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-objectweb-asm",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:9.6.0-1.redhat_00002.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-pem-keystore",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.3.0-1.redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-resteasy-extensions",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.0.1-3.Final_redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-resteasy-spring",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.0.1-2.Final_redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-saaj-impl",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.0.4-1.redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-shibboleth-java-support",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:8.0.0-6.redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-slf4j",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.0.16-1.redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-snakeyaml",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.0-1.redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-wildfly",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:8.0.4-2.GA_redhat_00005.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.keycloak/keycloak-services",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.18-1.redhat_00001.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.18-1.redhat_00001.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.18-1.redhat_00001.1.el9sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-54",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Karsten Meyer zu Selhausen and Niklas Conrad for reporting this issue."
        }
      ],
      "datePublic": "2024-09-19T15:13:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a \u0027Valid Redirect URI\u0027 is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-02T17:07:25.650Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2024:10385",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:10385"
        },
        {
          "name": "RHSA-2024:10386",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:10386"
        },
        {
          "name": "RHSA-2024:6878",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6878"
        },
        {
          "name": "RHSA-2024:6879",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6879"
        },
        {
          "name": "RHSA-2024:6880",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6880"
        },
        {
          "name": "RHSA-2024:6882",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6882"
        },
        {
          "name": "RHSA-2024:6886",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6886"
        },
        {
          "name": "RHSA-2024:6887",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6887"
        },
        {
          "name": "RHSA-2024:6888",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6888"
        },
        {
          "name": "RHSA-2024:6889",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6889"
        },
        {
          "name": "RHSA-2024:6890",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6890"
        },
        {
          "name": "RHSA-2024:8823",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:8823"
        },
        {
          "name": "RHSA-2024:8824",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:8824"
        },
        {
          "name": "RHSA-2024:8826",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:8826"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-8883"
        },
        {
          "name": "RHBZ#2312511",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312511"
        },
        {
          "url": "https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-09-16T06:17:01.573000+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-09-19T15:13:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: vulnerable redirect uri validation results in open redirec",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_redhatCweChain": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-8883",
    "datePublished": "2024-09-19T15:48:28.468Z",
    "dateReserved": "2024-09-16T06:45:30.550Z",
    "dateUpdated": "2025-05-02T17:07:25.650Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-1319 (GCVE-0-2022-1319)
Vulnerability from cvelistv5
Published
2022-08-31 00:00
Modified
2024-08-03 00:03
Severity ?
CWE
  • CWE-252 - - Unchecked Return Value.
Summary
A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.
References
https://bugzilla.redhat.com/show_bug.cgi?id=2073890
https://issues.redhat.com/browse/UNDERTOW-2060
https://github.com/undertow-io/undertow/commit/1443a1a2bbb8e32e56788109d8285db250d55c8b
https://github.com/undertow-io/undertow/commit/7c5b3ab885b5638fd3f1e8a935d5063d68aa2df3
https://access.redhat.com/security/cve/CVE-2022-1319
https://security.netapp.com/advisory/ntap-20221014-0006/
Impacted products
Vendor Product Version
n/a undertow Version: Fixed in 2.3.0.Final, 2.2.18.Final, 2.2.17.SP3, 2.2.17.SP4, 2.3.0.Alpha2
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:03:05.119Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073890"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://issues.redhat.com/browse/UNDERTOW-2060"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/undertow-io/undertow/commit/1443a1a2bbb8e32e56788109d8285db250d55c8b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/undertow-io/undertow/commit/7c5b3ab885b5638fd3f1e8a935d5063d68aa2df3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2022-1319"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20221014-0006/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "undertow",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in 2.3.0.Final, 2.2.18.Final, 2.2.17.SP3, 2.2.17.SP4, 2.3.0.Alpha2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-252",
              "description": "CWE-252 - Unchecked Return Value.",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-14T00:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073890"
        },
        {
          "url": "https://issues.redhat.com/browse/UNDERTOW-2060"
        },
        {
          "url": "https://github.com/undertow-io/undertow/commit/1443a1a2bbb8e32e56788109d8285db250d55c8b"
        },
        {
          "url": "https://github.com/undertow-io/undertow/commit/7c5b3ab885b5638fd3f1e8a935d5063d68aa2df3"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2022-1319"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20221014-0006/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-1319",
    "datePublished": "2022-08-31T00:00:00",
    "dateReserved": "2022-04-12T00:00:00",
    "dateUpdated": "2024-08-03T00:03:05.119Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-3916 (GCVE-0-2022-3916)
Vulnerability from cvelistv5
Published
2023-09-20 14:28
Modified
2024-08-03 01:20
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE
Summary
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.
References
https://access.redhat.com/errata/RHSA-2022:8961vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2022:8962vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2022:8963vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2022:8964vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2022:8965vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:1043vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:1044vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:1045vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:1047vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:1049vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2022-3916vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2141404issue-tracking, x_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7.6
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6.1     cpe:/a:redhat:red_hat_single_sign_on:7.6.1
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.3-1.redhat_00002.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.6-1.redhat_00001.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.3-1.redhat_00002.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.6-1.redhat_00001.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.3-1.redhat_00002.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.6-1.redhat_00001.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-15   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-20   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-3916",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-13T20:08:01.880629Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-13T20:08:13.820Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:20:58.791Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2022:8961",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2022:8961"
          },
          {
            "name": "RHSA-2022:8962",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2022:8962"
          },
          {
            "name": "RHSA-2022:8963",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2022:8963"
          },
          {
            "name": "RHSA-2022:8964",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2022:8964"
          },
          {
            "name": "RHSA-2022:8965",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2022:8965"
          },
          {
            "name": "RHSA-2023:1043",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:1043"
          },
          {
            "name": "RHSA-2023:1044",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:1044"
          },
          {
            "name": "RHSA-2023:1045",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:1045"
          },
          {
            "name": "RHSA-2023:1047",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:1047"
          },
          {
            "name": "RHSA-2023:1049",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:1049"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2022-3916"
          },
          {
            "name": "RHBZ#2141404",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6.1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat Single Sign-On 7.6.1",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.3-1.redhat_00002.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.6-1.redhat_00001.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.3-1.redhat_00002.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.6-1.redhat_00001.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.3-1.redhat_00002.1.el9sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.6-1.redhat_00001.1.el9sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-15",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-20",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Peter Flintholm (Trifork) for reporting this issue."
        }
      ],
      "datePublic": "2022-11-09T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-384",
              "description": "Session Fixation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-03T15:32:25.617Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2022:8961",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2022:8961"
        },
        {
          "name": "RHSA-2022:8962",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2022:8962"
        },
        {
          "name": "RHSA-2022:8963",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2022:8963"
        },
        {
          "name": "RHSA-2022:8964",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2022:8964"
        },
        {
          "name": "RHSA-2022:8965",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2022:8965"
        },
        {
          "name": "RHSA-2023:1043",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:1043"
        },
        {
          "name": "RHSA-2023:1044",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:1044"
        },
        {
          "name": "RHSA-2023:1045",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:1045"
        },
        {
          "name": "RHSA-2023:1047",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:1047"
        },
        {
          "name": "RHSA-2023:1049",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:1049"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2022-3916"
        },
        {
          "name": "RHBZ#2141404",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2022-11-09T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2022-11-09T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: session takeover with oidc offline refreshtokens",
      "x_redhatCweChain": "CWE-384: Session Fixation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-3916",
    "datePublished": "2023-09-20T14:28:52.089Z",
    "dateReserved": "2022-11-09T16:12:41.804Z",
    "dateUpdated": "2024-08-03T01:20:58.791Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-1259 (GCVE-0-2022-1259)
Vulnerability from cvelistv5
Published
2022-08-31 00:00
Modified
2024-08-02 23:55
Severity ?
CWE
  • CWE-400 - - Uncontrolled Resource Consumption.
Summary
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629.
References
https://bugzilla.redhat.com/show_bug.cgi?id=2072339
https://access.redhat.com/security/cve/CVE-2022-1259
https://security.netapp.com/advisory/ntap-20221014-0006/
Impacted products
Vendor Product Version
n/a undertow Version: Fixed in 2.3.0.Final, 2.2.17.SP1, 2.2.20.Final, 2.2.19.SP1.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:55:24.711Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072339"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2022-1259"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20221014-0006/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "undertow",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in 2.3.0.Final, 2.2.17.SP1, 2.2.20.Final, 2.2.19.SP1."
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 - Uncontrolled Resource Consumption.",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-14T00:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072339"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2022-1259"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20221014-0006/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-1259",
    "datePublished": "2022-08-31T00:00:00",
    "dateReserved": "2022-04-06T00:00:00",
    "dateUpdated": "2024-08-02T23:55:24.711Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-2256 (GCVE-0-2022-2256)
Vulnerability from cvelistv5
Published
2022-09-01 19:57
Modified
2024-08-03 00:32
Severity ?
CWE
Summary
A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.
References
https://bugzilla.redhat.com/show_bug.cgi?id=2101942x_refsource_MISC
https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv49x_refsource_MISC
Impacted products
Vendor Product Version
n/a keycloak Version: keycloak as shipped in Red Hat Single Sign-On 7
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:32:09.302Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2101942"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv49"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "keycloak as shipped in Red Hat Single Sign-On 7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-01T19:57:29",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2101942"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv49"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-2256",
    "datePublished": "2022-09-01T19:57:29",
    "dateReserved": "2022-06-29T00:00:00",
    "dateUpdated": "2024-08-03T00:32:09.302Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-6291 (GCVE-0-2023-6291)
Vulnerability from cvelistv5
Published
2024-01-26 14:23
Modified
2025-04-04 19:35
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE
  • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Summary
A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.
References
https://access.redhat.com/errata/RHSA-2023:7854vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7855vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7856vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7857vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7858vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7860vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7861vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0798vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0799vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0800vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0801vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0804vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-6291vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2251407issue-tracking, x_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat Red Hat build of Keycloak 22 Unaffected: 22.0.7-1   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22 Unaffected: 22-6   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22 Unaffected: 22-9   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22.0.7     cpe:/a:redhat:build_keycloak:22
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7.6
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.11-2.redhat_00003.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.12-1.redhat_00001.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.11-2.redhat_00003.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.12-1.redhat_00001.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.11-2.redhat_00003.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.12-1.redhat_00001.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-38   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6.6-2   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-41   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
   Red Hat Single Sign-On 7.6.6     cpe:/a:redhat:red_hat_single_sign_on:7.6.6
 Create a notification for this product.
   Red Hat Migration Toolkit for Applications 6     cpe:/a:redhat:migration_toolkit_applications:6
 Create a notification for this product.
   Red Hat Migration Toolkit for Applications 7     cpe:/a:redhat:migration_toolkit_applications:7
 Create a notification for this product.
   Red Hat OpenShift Serverless     cpe:/a:redhat:serverless:1
 Create a notification for this product.
   Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
 Create a notification for this product.
   Red Hat Red Hat Decision Manager 7     cpe:/a:redhat:jboss_enterprise_brms_platform:7
 Create a notification for this product.
   Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
 Create a notification for this product.
   Red Hat Red Hat JBoss Data Grid 7     cpe:/a:redhat:jboss_data_grid:7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 6     cpe:/a:redhat:jboss_enterprise_application_platform:6
 Create a notification for this product.
   Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:28:21.867Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2023:7854",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7854"
          },
          {
            "name": "RHSA-2023:7855",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7855"
          },
          {
            "name": "RHSA-2023:7856",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7856"
          },
          {
            "name": "RHSA-2023:7857",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7857"
          },
          {
            "name": "RHSA-2023:7858",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7858"
          },
          {
            "name": "RHSA-2023:7860",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7860"
          },
          {
            "name": "RHSA-2023:7861",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7861"
          },
          {
            "name": "RHSA-2024:0798",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0798"
          },
          {
            "name": "RHSA-2024:0799",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0799"
          },
          {
            "name": "RHSA-2024:0800",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0800"
          },
          {
            "name": "RHSA-2024:0801",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0801"
          },
          {
            "name": "RHSA-2024:0804",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0804"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-6291"
          },
          {
            "name": "RHBZ#2251407",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2251407"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-6291",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-13T14:56:46.143772Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-13T14:56:59.598Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22.0.7-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22-6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22-9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat build of Keycloak 22.0.7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.11-2.redhat_00003.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.12-1.redhat_00001.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.11-2.redhat_00003.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.12-1.redhat_00001.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.11-2.redhat_00003.1.el9sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.12-1.redhat_00001.1.el9sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-38",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso7-rhel8-operator-bundle",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6.6-2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-41",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6.6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Single Sign-On 7.6.6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:migration_toolkit_applications:6"
          ],
          "defaultStatus": "affected",
          "packageName": "keycloak",
          "product": "Migration Toolkit for Applications 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:migration_toolkit_applications:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Migration Toolkit for Applications 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:serverless:1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "OpenShift Serverless",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat Data Grid 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat Decision Manager 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat Fuse 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat JBoss Data Grid 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat JBoss Enterprise Application Platform 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat Process Automation 7",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2023-12-14T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-04T19:35:31.946Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:7854",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7854"
        },
        {
          "name": "RHSA-2023:7855",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7855"
        },
        {
          "name": "RHSA-2023:7856",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7856"
        },
        {
          "name": "RHSA-2023:7857",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7857"
        },
        {
          "name": "RHSA-2023:7858",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7858"
        },
        {
          "name": "RHSA-2023:7860",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7860"
        },
        {
          "name": "RHSA-2023:7861",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7861"
        },
        {
          "name": "RHSA-2024:0798",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0798"
        },
        {
          "name": "RHSA-2024:0799",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0799"
        },
        {
          "name": "RHSA-2024:0800",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0800"
        },
        {
          "name": "RHSA-2024:0801",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0801"
        },
        {
          "name": "RHSA-2024:0804",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0804"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-6291"
        },
        {
          "name": "RHBZ#2251407",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2251407"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-11-24T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-12-14T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: redirect_uri validation bypass",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_redhatCweChain": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-6291",
    "datePublished": "2024-01-26T14:23:43.185Z",
    "dateReserved": "2023-11-24T18:16:45.923Z",
    "dateUpdated": "2025-04-04T19:35:31.946Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-3873 (GCVE-0-2019-3873)
Vulnerability from cvelistv5
Published
2019-06-12 13:43
Modified
2024-08-04 19:19
Severity ?
6.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
CWE
Summary
It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3873x_refsource_CONFIRM
http://www.securityfocus.com/bid/108739vdb-entry, x_refsource_BID
Impacted products
Vendor Product Version
Red Hat picketlink Version: as shipped with Jboss Enterprise Application Server 7.2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:19:18.682Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3873"
          },
          {
            "name": "108739",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/108739"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "picketlink",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "as shipped with Jboss Enterprise Application Server 7.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-07-06T18:06:04",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3873"
        },
        {
          "name": "108739",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/108739"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-3873",
    "datePublished": "2019-06-12T13:43:46",
    "dateReserved": "2019-01-03T00:00:00",
    "dateUpdated": "2024-08-04T19:19:18.682Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-1664 (GCVE-0-2023-1664)
Vulnerability from cvelistv5
Published
2023-05-26 00:00
Modified
2025-01-15 21:34
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE
Summary
A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable.
References
https://bugzilla.redhat.com/show_bug.cgi?id=2182196&comment#0
Impacted products
Vendor Product Version
n/a Keycloak Version: NA
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T05:57:24.969Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182196\u0026comment#0"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-1664",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-15T21:33:57.839751Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-15T21:34:51.378Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Keycloak",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "NA"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak. This flaw depends on a non-default configuration \"Revalidate Client Certificate\" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of \"Cannot validate client certificate trust: Truststore not available\". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use \"Revalidate Client Certificate\" this flaw is avoidable."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-05-26T00:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182196\u0026comment#0"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-1664",
    "datePublished": "2023-05-26T00:00:00",
    "dateReserved": "2023-03-27T00:00:00",
    "dateUpdated": "2025-01-15T21:34:51.378Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-4492 (GCVE-0-2022-4492)
Vulnerability from cvelistv5
Published
2023-02-23 00:00
Modified
2025-03-12 14:34
Severity ?
CWE
  • ssrf
Summary
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
References
https://bugzilla.redhat.com/show_bug.cgi?id=2153260
https://access.redhat.com/security/cve/CVE-2022-4492
https://security.netapp.com/advisory/ntap-20230324-0002/
Impacted products
Vendor Product Version
n/a undertow Version: 2.7
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:41:45.097Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2022-4492"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230324-0002/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-4492",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-12T14:33:53.756138Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-918",
                "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-12T14:34:50.123Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "undertow",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "2.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "ssrf",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-24T00:00:00.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2022-4492"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230324-0002/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-4492",
    "datePublished": "2023-02-23T00:00:00.000Z",
    "dateReserved": "2022-12-14T00:00:00.000Z",
    "dateUpdated": "2025-03-12T14:34:50.123Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-2585 (GCVE-0-2023-2585)
Vulnerability from cvelistv5
Published
2023-12-21 09:24
Modified
2024-08-02 06:26
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
CWE
  • CWE-358 - Improperly Implemented Security Check for Standard
Summary
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.
References
https://access.redhat.com/errata/RHSA-2023:3883vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:3884vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:3885vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:3888vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:3892vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-2585vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2196335issue-tracking, x_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7.6.4
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.8-1.redhat_00001.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.8-1.redhat_00001.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.8-1.redhat_00001.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-24   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:26:09.896Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2023:3883",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:3883"
          },
          {
            "name": "RHSA-2023:3884",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:3884"
          },
          {
            "name": "RHSA-2023:3885",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:3885"
          },
          {
            "name": "RHSA-2023:3888",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:3888"
          },
          {
            "name": "RHSA-2023:3892",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:3892"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-2585"
          },
          {
            "name": "RHBZ#2196335",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196335"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6.4"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.8-1.redhat_00001.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.8-1.redhat_00001.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.8-1.redhat_00001.1.el9sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-24",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "datePublic": "2023-06-26T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Keycloak\u0027s device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Low"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-358",
              "description": "Improperly Implemented Security Check for Standard",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-03T15:32:35.422Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:3883",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:3883"
        },
        {
          "name": "RHSA-2023:3884",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:3884"
        },
        {
          "name": "RHSA-2023:3885",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:3885"
        },
        {
          "name": "RHSA-2023:3888",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:3888"
        },
        {
          "name": "RHSA-2023:3892",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:3892"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-2585"
        },
        {
          "name": "RHBZ#2196335",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196335"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-04-24T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-06-26T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: client access via device auth request spoof",
      "x_redhatCweChain": "CWE-358: Improperly Implemented Security Check for Standard"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-2585",
    "datePublished": "2023-12-21T09:24:16.632Z",
    "dateReserved": "2023-05-08T19:39:58.370Z",
    "dateUpdated": "2024-08-02T06:26:09.896Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-20262 (GCVE-0-2021-20262)
Vulnerability from cvelistv5
Published
2021-03-09 17:19
Modified
2024-08-03 17:37
Severity ?
CWE
Summary
A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1933639x_refsource_MISC
Impacted products
Vendor Product Version
n/a keycloak Version: Keycloak 12.0.0
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:37:23.083Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1933639"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Keycloak 12.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user\u2019s browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-03-09T17:19:20",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1933639"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-20262",
    "datePublished": "2021-03-09T17:19:20",
    "dateReserved": "2020-12-17T00:00:00",
    "dateUpdated": "2024-08-03T17:37:23.083Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-0853 (GCVE-0-2022-0853)
Vulnerability from cvelistv5
Published
2022-03-11 17:54
Modified
2024-08-02 23:40
Severity ?
CWE
  • Memory Leakage
Summary
A flaw was found in JBoss-client. The vulnerability occurs due to a memory leak on the JBoss client-side, when using UserTransaction repeatedly and leads to information leakage vulnerability.
References
https://bugzilla.redhat.com/show_bug.cgi?id=2060725x_refsource_MISC
https://github.com/ByteHackr/CVE-2022-0853x_refsource_MISC
Impacted products
Vendor Product Version
n/a jboss-client Version: 1.7
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:40:04.530Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060725"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ByteHackr/CVE-2022-0853"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jboss-client",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "1.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in JBoss-client. The vulnerability occurs due to a memory leak on the JBoss client-side, when using UserTransaction repeatedly and leads to information leakage vulnerability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Memory Leakage",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-11T17:54:27",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060725"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ByteHackr/CVE-2022-0853"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-0853",
    "datePublished": "2022-03-11T17:54:27",
    "dateReserved": "2022-03-04T00:00:00",
    "dateUpdated": "2024-08-02T23:40:04.530Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-10184 (GCVE-0-2019-10184)
Vulnerability from cvelistv5
Published
2019-07-25 20:35
Modified
2024-08-04 22:10
Severity ?
5.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE
Summary
undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.
References
https://access.redhat.com/errata/RHSA-2019:2937vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2935vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2936vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2938vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2998vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3044vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3045vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3050vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3046vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2020:0727vendor-advisory, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10184x_refsource_CONFIRM
https://github.com/undertow-io/undertow/pull/794x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20220210-0016/x_refsource_CONFIRM
Impacted products
Vendor Product Version
undertow-io undertow Version: fixed in 2.0.23.Final
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:10:10.116Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2019:2937",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2937"
          },
          {
            "name": "RHSA-2019:2935",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2935"
          },
          {
            "name": "RHSA-2019:2936",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2936"
          },
          {
            "name": "RHSA-2019:2938",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2938"
          },
          {
            "name": "RHSA-2019:2998",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2998"
          },
          {
            "name": "RHSA-2019:3044",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3044"
          },
          {
            "name": "RHSA-2019:3045",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3045"
          },
          {
            "name": "RHSA-2019:3050",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3050"
          },
          {
            "name": "RHSA-2019:3046",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3046"
          },
          {
            "name": "RHSA-2020:0727",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0727"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10184"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/undertow-io/undertow/pull/794"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220210-0016/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "undertow",
          "vendor": "undertow-io",
          "versions": [
            {
              "status": "affected",
              "version": "fixed in 2.0.23.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-10T09:06:40",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2019:2937",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2937"
        },
        {
          "name": "RHSA-2019:2935",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2935"
        },
        {
          "name": "RHSA-2019:2936",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2936"
        },
        {
          "name": "RHSA-2019:2938",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2938"
        },
        {
          "name": "RHSA-2019:2998",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2998"
        },
        {
          "name": "RHSA-2019:3044",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3044"
        },
        {
          "name": "RHSA-2019:3045",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3045"
        },
        {
          "name": "RHSA-2019:3050",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3050"
        },
        {
          "name": "RHSA-2019:3046",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3046"
        },
        {
          "name": "RHSA-2020:0727",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0727"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10184"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/undertow-io/undertow/pull/794"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220210-0016/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-10184",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "undertow",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "fixed in 2.0.23.Final"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "undertow-io"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "5.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-862"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2019:2937",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2937"
            },
            {
              "name": "RHSA-2019:2935",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2935"
            },
            {
              "name": "RHSA-2019:2936",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2936"
            },
            {
              "name": "RHSA-2019:2938",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2938"
            },
            {
              "name": "RHSA-2019:2998",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2998"
            },
            {
              "name": "RHSA-2019:3044",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3044"
            },
            {
              "name": "RHSA-2019:3045",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3045"
            },
            {
              "name": "RHSA-2019:3050",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3050"
            },
            {
              "name": "RHSA-2019:3046",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3046"
            },
            {
              "name": "RHSA-2020:0727",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0727"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10184",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10184"
            },
            {
              "name": "https://github.com/undertow-io/undertow/pull/794",
              "refsource": "CONFIRM",
              "url": "https://github.com/undertow-io/undertow/pull/794"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220210-0016/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220210-0016/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-10184",
    "datePublished": "2019-07-25T20:35:16",
    "dateReserved": "2019-03-27T00:00:00",
    "dateUpdated": "2024-08-04T22:10:10.116Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-14657 (GCVE-0-2018-14657)
Vulnerability from cvelistv5
Published
2018-11-13 19:00
Modified
2024-08-05 09:38
Severity ?
5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE
Summary
A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures.
References
https://access.redhat.com/errata/RHSA-2018:3592vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:3593vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:3595vendor-advisory, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14657x_refsource_CONFIRM
Impacted products
Vendor Product Version
Red Hat keycloak Version: 4.2.1.Final, 4.3.0.Final
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:38:13.017Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2018:3592",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:3592"
          },
          {
            "name": "RHSA-2018:3593",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:3593"
          },
          {
            "name": "RHSA-2018:3595",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:3595"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14657"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "4.2.1.Final, 4.3.0.Final"
            }
          ]
        }
      ],
      "datePublic": "2018-11-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-04T18:00:57",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2018:3592",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:3592"
        },
        {
          "name": "RHSA-2018:3593",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:3593"
        },
        {
          "name": "RHSA-2018:3595",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:3595"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14657"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2018-14657",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "4.2.1.Final, 4.3.0.Final"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Red Hat"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "5.4/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-307"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2018:3592",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:3592"
            },
            {
              "name": "RHSA-2018:3593",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:3593"
            },
            {
              "name": "RHSA-2018:3595",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:3595"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14657",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14657"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2018-14657",
    "datePublished": "2018-11-13T19:00:00",
    "dateReserved": "2018-07-27T00:00:00",
    "dateUpdated": "2024-08-05T09:38:13.017Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-6841 (GCVE-0-2023-6841)
Vulnerability from cvelistv5
Published
2024-09-10 16:15
Modified
2025-03-15 04:00
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-231 - Improper Handling of Extra Values
Summary
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.
References
https://access.redhat.com/security/cve/CVE-2023-6841vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2254714issue-tracking, x_refsource_REDHAT
Impacted products
Vendor Product Version
Version: 0   
Create a notification for this product.
   Red Hat Red Hat build of Quarkus     cpe:/a:redhat:openshift_application_runtimes:1.0
 Create a notification for this product.
   Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
 Create a notification for this product.
   Red Hat Red Hat Mobile Application Platform 4     cpe:/a:redhat:mobile_application_platform:4
 Create a notification for this product.
   Red Hat Red Hat OpenShift Application Runtimes     cpe:/a:redhat:openshift_application_runtimes:1.0
 Create a notification for this product.
   Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
 Create a notification for this product.
   Red Hat Red Hat support for Spring Boot     cpe:/a:redhat:openshift_application_runtimes:1.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-6841",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-01T20:20:35.831984Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-01T20:20:45.372Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/keycloak/keycloak",
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "versions": [
            {
              "lessThan": "24.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_application_runtimes:1.0"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat build of Quarkus",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat Fuse 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:mobile_application_platform:4"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat Mobile Application Platform 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_application_runtimes:1.0"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat OpenShift Application Runtimes",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat Process Automation 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7"
          ],
          "defaultStatus": "affected",
          "packageName": "keycloak",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_application_runtimes:1.0"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat support for Spring Boot",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2024-09-10T15:45:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-231",
              "description": "Improper Handling of Extra Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-15T04:00:19.496Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-6841"
        },
        {
          "name": "RHBZ#2254714",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254714"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-12-15T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-09-10T15:45:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: amount of attributes per object is not limited and it may lead to dos",
      "workarounds": [
        {
          "lang": "en",
          "value": "This CVE is mitigated by the \u0027User Profile\u0027 functionality, which was introduced in Keycloak 24. This feature introduces additional validation which prevents this vulnerability from being exploited."
        }
      ],
      "x_redhatCweChain": "CWE-231: Improper Handling of Extra Values"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-6841",
    "datePublished": "2024-09-10T16:15:32.639Z",
    "dateReserved": "2023-12-15T12:33:39.292Z",
    "dateUpdated": "2025-03-15T04:00:19.496Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-1757 (GCVE-0-2020-1757)
Vulnerability from cvelistv5
Published
2020-04-21 15:31
Modified
2024-08-04 06:46
Severity ?
8.1 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE
Summary
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1757x_refsource_CONFIRM
Impacted products
Vendor Product Version
Red Hat undertow Version: all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1
Version: all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T06:46:30.881Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1757"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "undertow",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1"
            },
            {
              "status": "affected",
              "version": "all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-21T15:31:14",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1757"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-1757",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "undertow",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1"
                          },
                          {
                            "version_value": "all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Red Hat"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "8.1/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1757",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1757"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-1757",
    "datePublished": "2020-04-21T15:31:14",
    "dateReserved": "2019-11-27T00:00:00",
    "dateUpdated": "2024-08-04T06:46:30.881Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-0225 (GCVE-0-2022-0225)
Vulnerability from cvelistv5
Published
2022-08-26 17:25
Modified
2024-08-02 23:18
Severity ?
CWE
  • CWE-79 - - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.
References
https://bugzilla.redhat.com/show_bug.cgi?id=2040268x_refsource_MISC
https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7mx_refsource_MISC
Impacted products
Vendor Product Version
n/a keycloak Version: Not-Known
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:18:42.951Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040268"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Not-Known"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 - Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-26T17:25:46",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040268"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-0225",
    "datePublished": "2022-08-26T17:25:46",
    "dateReserved": "2022-01-13T00:00:00",
    "dateUpdated": "2024-08-02T23:18:42.951Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-0091 (GCVE-0-2023-0091)
Vulnerability from cvelistv5
Published
2023-01-11 20:44
Modified
2025-04-09 14:09
Severity ?
3.8 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
CWE
  • n/a
Summary
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.
References
https://access.redhat.com/security/cve/CVE-2023-0091
Impacted products
Vendor Product Version
redhat.com Keycloak Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T05:02:43.399Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-0091"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 3.8,
              "baseSeverity": "LOW",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-0091",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-09T14:08:50.042443Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-863",
                "description": "CWE-863 Incorrect Authorization",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-09T14:09:36.362Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Keycloak",
          "vendor": "redhat.com",
          "versions": [
            {
              "status": "unknown",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-13T04:22:02.451Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://access.redhat.com/security/cve/CVE-2023-0091"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-0091",
    "datePublished": "2023-01-11T20:44:07.553Z",
    "dateReserved": "2023-01-05T20:27:38.369Z",
    "dateUpdated": "2025-04-09T14:09:36.362Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-2668 (GCVE-0-2022-2668)
Vulnerability from cvelistv5
Published
2022-08-05 16:46
Modified
2024-08-03 00:46
Severity ?
CWE
  • Expected Behavior Violation
Summary
An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled
References
https://access.redhat.com/security/cve/CVE-2022-2668x_refsource_MISC
Impacted products
Vendor Product Version
n/a keycloak Version: Keycloak 18
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:46:03.654Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2022-2668"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Keycloak 18"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Expected Behavior Violation",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-05T16:46:34",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2022-2668"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2022-2668",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Keycloak 18"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Expected Behavior Violation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://access.redhat.com/security/cve/CVE-2022-2668",
              "refsource": "MISC",
              "url": "https://access.redhat.com/security/cve/CVE-2022-2668"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-2668",
    "datePublished": "2022-08-05T16:46:34",
    "dateReserved": "2022-08-05T00:00:00",
    "dateUpdated": "2024-08-03T00:46:03.654Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-3872 (GCVE-0-2019-3872)
Vulnerability from cvelistv5
Published
2019-06-12 13:45
Modified
2024-08-04 19:19
Severity ?
5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE
Summary
It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-site scripting and obtain unauthorized information or conduct further attacks.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3872x_refsource_CONFIRM
http://www.securityfocus.com/bid/108732vdb-entry, x_refsource_BID
Impacted products
Vendor Product Version
Red Hat picketlink Version: as shipped with Jboss Enterprise Application Platform 7.2.x and 7.1.x
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:19:18.614Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3872"
          },
          {
            "name": "108732",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/108732"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "picketlink",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "as shipped with Jboss Enterprise Application Platform 7.2.x and 7.1.x"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-site scripting and obtain unauthorized information or conduct further attacks."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-06-12T14:06:06",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3872"
        },
        {
          "name": "108732",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/108732"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-3872",
    "datePublished": "2019-06-12T13:45:56",
    "dateReserved": "2019-01-03T00:00:00",
    "dateUpdated": "2024-08-04T19:19:18.614Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-27838 (GCVE-0-2020-27838)
Vulnerability from cvelistv5
Published
2021-03-08 21:41
Modified
2024-08-04 16:25
Severity ?
CWE
Summary
A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1906797x_refsource_MISC
Impacted products
Vendor Product Version
n/a keycloak Version: keycloak 13.0.0
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:25:43.769Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1906797"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "keycloak 13.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-03-08T21:41:27",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1906797"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-27838",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "keycloak 13.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1906797",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1906797"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-27838",
    "datePublished": "2021-03-08T21:41:27",
    "dateReserved": "2020-10-27T00:00:00",
    "dateUpdated": "2024-08-04T16:25:43.769Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-9515 (GCVE-0-2019-9515)
Vulnerability from cvelistv5
Published
2019-08-13 20:50
Modified
2024-08-04 21:54
Severity ?
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Summary
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
References
https://kb.cert.org/vuls/id/605641/third-party-advisory, x_refsource_CERT-VN
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.mdx_refsource_MISC
https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3Emailing-list, x_refsource_MLIST
https://seclists.org/bugtraq/2019/Aug/24mailing-list, x_refsource_BUGTRAQ
http://seclists.org/fulldisclosure/2019/Aug/16mailing-list, x_refsource_FULLDISC
https://www.synology.com/security/advisory/Synology_SA_19_33x_refsource_CONFIRM
https://support.f5.com/csp/article/K50233772x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20190823-0005/x_refsource_CONFIRM
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/vendor-advisory, x_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/vendor-advisory, x_refsource_FEDORA
https://seclists.org/bugtraq/2019/Aug/43mailing-list, x_refsource_BUGTRAQ
https://www.debian.org/security/2019/dsa-4508vendor-advisory, x_refsource_DEBIAN
https://www.debian.org/security/2019/dsa-4520vendor-advisory, x_refsource_DEBIAN
https://seclists.org/bugtraq/2019/Sep/18mailing-list, x_refsource_BUGTRAQ
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.htmlvendor-advisory, x_refsource_SUSE
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.htmlvendor-advisory, x_refsource_SUSE
https://kc.mcafee.com/corporate/index?page=content&id=SB10296x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2019:2766vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2796vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2861vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2925vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2939vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2955vendor-advisory, x_refsource_REDHAT
https://support.f5.com/csp/article/K50233772?utm_source=f5support&amp%3Butm_medium=RSSx_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2019:3892vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4018vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4019vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4021vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4020vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4045vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4042vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4040vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4041vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4352vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2020:0727vendor-advisory, x_refsource_REDHAT
https://usn.ubuntu.com/4308-1/vendor-advisory, x_refsource_UBUNTU
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T21:54:44.327Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "VU#605641",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "https://kb.cert.org/vuls/id/605641/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
          },
          {
            "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
          },
          {
            "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
          },
          {
            "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
          },
          {
            "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Aug/24"
          },
          {
            "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.f5.com/csp/article/K50233772"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
          },
          {
            "name": "FEDORA-2019-5a6a7bc12c",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
          },
          {
            "name": "FEDORA-2019-6a2980de56",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
          },
          {
            "name": "20190825 [SECURITY] [DSA 4508-1] h2o security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Aug/43"
          },
          {
            "name": "DSA-4508",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4508"
          },
          {
            "name": "DSA-4520",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4520"
          },
          {
            "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Sep/18"
          },
          {
            "name": "openSUSE-SU-2019:2114",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
          },
          {
            "name": "openSUSE-SU-2019:2115",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
          },
          {
            "name": "RHSA-2019:2766",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2766"
          },
          {
            "name": "RHSA-2019:2796",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2796"
          },
          {
            "name": "RHSA-2019:2861",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2861"
          },
          {
            "name": "RHSA-2019:2925",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2925"
          },
          {
            "name": "RHSA-2019:2939",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2939"
          },
          {
            "name": "RHSA-2019:2955",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2955"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.f5.com/csp/article/K50233772?utm_source=f5support\u0026amp%3Butm_medium=RSS"
          },
          {
            "name": "RHSA-2019:3892",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3892"
          },
          {
            "name": "RHSA-2019:4018",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4018"
          },
          {
            "name": "RHSA-2019:4019",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4019"
          },
          {
            "name": "RHSA-2019:4021",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4021"
          },
          {
            "name": "RHSA-2019:4020",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4020"
          },
          {
            "name": "RHSA-2019:4045",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4045"
          },
          {
            "name": "RHSA-2019:4042",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4042"
          },
          {
            "name": "RHSA-2019:4040",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4040"
          },
          {
            "name": "RHSA-2019:4041",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4041"
          },
          {
            "name": "RHSA-2019:4352",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4352"
          },
          {
            "name": "RHSA-2020:0727",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0727"
          },
          {
            "name": "USN-4308-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4308-1/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-03-30T21:06:04",
        "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "shortName": "certcc"
      },
      "references": [
        {
          "name": "VU#605641",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "https://kb.cert.org/vuls/id/605641/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
        },
        {
          "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
        },
        {
          "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
        },
        {
          "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
        },
        {
          "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Aug/24"
        },
        {
          "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.f5.com/csp/article/K50233772"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
        },
        {
          "name": "FEDORA-2019-5a6a7bc12c",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
        },
        {
          "name": "FEDORA-2019-6a2980de56",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
        },
        {
          "name": "20190825 [SECURITY] [DSA 4508-1] h2o security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Aug/43"
        },
        {
          "name": "DSA-4508",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4508"
        },
        {
          "name": "DSA-4520",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4520"
        },
        {
          "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Sep/18"
        },
        {
          "name": "openSUSE-SU-2019:2114",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
        },
        {
          "name": "openSUSE-SU-2019:2115",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
        },
        {
          "name": "RHSA-2019:2766",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2766"
        },
        {
          "name": "RHSA-2019:2796",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2796"
        },
        {
          "name": "RHSA-2019:2861",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2861"
        },
        {
          "name": "RHSA-2019:2925",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2925"
        },
        {
          "name": "RHSA-2019:2939",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2939"
        },
        {
          "name": "RHSA-2019:2955",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2955"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.f5.com/csp/article/K50233772?utm_source=f5support\u0026amp%3Butm_medium=RSS"
        },
        {
          "name": "RHSA-2019:3892",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3892"
        },
        {
          "name": "RHSA-2019:4018",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4018"
        },
        {
          "name": "RHSA-2019:4019",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4019"
        },
        {
          "name": "RHSA-2019:4021",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4021"
        },
        {
          "name": "RHSA-2019:4020",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4020"
        },
        {
          "name": "RHSA-2019:4045",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4045"
        },
        {
          "name": "RHSA-2019:4042",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4042"
        },
        {
          "name": "RHSA-2019:4040",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4040"
        },
        {
          "name": "RHSA-2019:4041",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4041"
        },
        {
          "name": "RHSA-2019:4352",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4352"
        },
        {
          "name": "RHSA-2020:0727",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0727"
        },
        {
          "name": "USN-4308-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4308-1/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service",
      "x_generator": {
        "engine": "Vulnogram 0.0.7"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "AKA": "HTTP/2 Settings Flood",
          "ASSIGNER": "cert@cert.org",
          "ID": "CVE-2019-9515",
          "STATE": "PUBLIC",
          "TITLE": "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.7"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-400 Uncontrolled Resource Consumption"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "VU#605641",
              "refsource": "CERT-VN",
              "url": "https://kb.cert.org/vuls/id/605641/"
            },
            {
              "name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
              "refsource": "MISC",
              "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
            },
            {
              "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E"
            },
            {
              "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E"
            },
            {
              "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Aug/24"
            },
            {
              "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
            },
            {
              "name": "https://www.synology.com/security/advisory/Synology_SA_19_33",
              "refsource": "CONFIRM",
              "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
            },
            {
              "name": "https://support.f5.com/csp/article/K50233772",
              "refsource": "CONFIRM",
              "url": "https://support.f5.com/csp/article/K50233772"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190823-0005/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
            },
            {
              "name": "FEDORA-2019-5a6a7bc12c",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
            },
            {
              "name": "FEDORA-2019-6a2980de56",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
            },
            {
              "name": "20190825 [SECURITY] [DSA 4508-1] h2o security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Aug/43"
            },
            {
              "name": "DSA-4508",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4508"
            },
            {
              "name": "DSA-4520",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4520"
            },
            {
              "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Sep/18"
            },
            {
              "name": "openSUSE-SU-2019:2114",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
            },
            {
              "name": "openSUSE-SU-2019:2115",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
            },
            {
              "name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296",
              "refsource": "CONFIRM",
              "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
            },
            {
              "name": "RHSA-2019:2766",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2766"
            },
            {
              "name": "RHSA-2019:2796",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2796"
            },
            {
              "name": "RHSA-2019:2861",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2861"
            },
            {
              "name": "RHSA-2019:2925",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2925"
            },
            {
              "name": "RHSA-2019:2939",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2939"
            },
            {
              "name": "RHSA-2019:2955",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2955"
            },
            {
              "name": "https://support.f5.com/csp/article/K50233772?utm_source=f5support\u0026amp;utm_medium=RSS",
              "refsource": "CONFIRM",
              "url": "https://support.f5.com/csp/article/K50233772?utm_source=f5support\u0026amp;utm_medium=RSS"
            },
            {
              "name": "RHSA-2019:3892",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3892"
            },
            {
              "name": "RHSA-2019:4018",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4018"
            },
            {
              "name": "RHSA-2019:4019",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4019"
            },
            {
              "name": "RHSA-2019:4021",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4021"
            },
            {
              "name": "RHSA-2019:4020",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4020"
            },
            {
              "name": "RHSA-2019:4045",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4045"
            },
            {
              "name": "RHSA-2019:4042",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4042"
            },
            {
              "name": "RHSA-2019:4040",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4040"
            },
            {
              "name": "RHSA-2019:4041",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4041"
            },
            {
              "name": "RHSA-2019:4352",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4352"
            },
            {
              "name": "RHSA-2020:0727",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0727"
            },
            {
              "name": "USN-4308-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4308-1/"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
    "assignerShortName": "certcc",
    "cveId": "CVE-2019-9515",
    "datePublished": "2019-08-13T20:50:59",
    "dateReserved": "2019-03-01T00:00:00",
    "dateUpdated": "2024-08-04T21:54:44.327Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-3754 (GCVE-0-2021-3754)
Vulnerability from cvelistv5
Published
2022-08-26 15:25
Modified
2024-08-03 17:09
Severity ?
CWE
  • CWE-20 - - Improper Input Validation
Summary
A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1999196x_refsource_MISC
https://access.redhat.com/security/cve/CVE-2021-3754x_refsource_MISC
Impacted products
Vendor Product Version
n/a keycloak Version: Not-Known
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:09:08.286Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999196"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2021-3754"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Not-Known"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 - Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-26T15:25:39",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999196"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2021-3754"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-3754",
    "datePublished": "2022-08-26T15:25:40",
    "dateReserved": "2021-08-31T00:00:00",
    "dateUpdated": "2024-08-03T17:09:08.286Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-3717 (GCVE-0-2021-3717)
Vulnerability from cvelistv5
Published
2022-05-24 18:18
Modified
2024-08-03 17:01
Severity ?
CWE
Summary
A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability. This flaw affects wildfly-core versions prior to 17.0.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1991305x_refsource_MISC
https://security.netapp.com/advisory/ntap-20220804-0002/x_refsource_CONFIRM
Impacted products
Vendor Product Version
n/a wildfly Version: wildfly-core 17.0
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:01:08.330Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991305"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220804-0002/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wildfly",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "wildfly-core 17.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability. This flaw affects wildfly-core versions prior to 17.0."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-552",
              "description": "CWE-552",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-04T17:06:33",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991305"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220804-0002/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2021-3717",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "wildfly",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "wildfly-core 17.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability. This flaw affects wildfly-core versions prior to 17.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-552"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1991305",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991305"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220804-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220804-0002/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-3717",
    "datePublished": "2022-05-24T18:18:43",
    "dateReserved": "2021-08-18T00:00:00",
    "dateUpdated": "2024-08-03T17:01:08.330Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-1466 (GCVE-0-2022-1466)
Vulnerability from cvelistv5
Published
2022-04-26 18:33
Modified
2024-08-03 00:03
Severity ?
CWE
Summary
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.
References
https://bugzilla.redhat.com/show_bug.cgi?id=2050228x_refsource_MISC
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txtx_refsource_MISC
https://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076x_refsource_MISC
Impacted products
Vendor Product Version
n/a rhsso Version: rhsso 7.5.0.GA
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:03:06.380Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2050228"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rhsso",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "rhsso 7.5.0.GA"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-26T18:33:22",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2050228"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2022-1466",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "rhsso",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "rhsso 7.5.0.GA"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-863"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2050228",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2050228"
            },
            {
              "name": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt",
              "refsource": "MISC",
              "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt"
            },
            {
              "name": "https://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076",
              "refsource": "MISC",
              "url": "https://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-1466",
    "datePublished": "2022-04-26T18:33:22",
    "dateReserved": "2022-04-25T00:00:00",
    "dateUpdated": "2024-08-03T00:03:06.380Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-10201 (GCVE-0-2019-10201)
Vulnerability from cvelistv5
Published
2019-08-14 16:09
Modified
2024-08-04 22:17
Severity ?
8.1 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE
Summary
It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10201x_refsource_CONFIRM
Impacted products
Vendor Product Version
Red Hat keycloak Version: up to keycloak 6.0.1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:17:19.324Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10201"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "Red Hat ",
          "versions": [
            {
              "status": "affected",
              "version": "up to keycloak 6.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that Keycloak\u0027s SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the \u003cSignature\u003e sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-592",
              "description": "CWE-592",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-08-14T16:09:38",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10201"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-10201",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "up to keycloak 6.0.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Red Hat "
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "It was found that Keycloak\u0027s SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the \u003cSignature\u003e sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "8.1/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-592"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10201",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10201"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-10201",
    "datePublished": "2019-08-14T16:09:39",
    "dateReserved": "2019-03-27T00:00:00",
    "dateUpdated": "2024-08-04T22:17:19.324Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-3632 (GCVE-0-2021-3632)
Vulnerability from cvelistv5
Published
2022-08-26 15:25
Modified
2024-08-03 17:01
Severity ?
CWE
  • CWE-287 - - Improper Authentication
Summary
A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.
References
https://issues.redhat.com/browse/KEYCLOAK-18500x_refsource_MISC
https://bugzilla.redhat.com/show_bug.cgi?id=1978196x_refsource_MISC
https://access.redhat.com/security/cve/CVE-2021-3632x_refsource_MISC
https://github.com/keycloak/keycloak/pull/8203x_refsource_MISC
https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4x_refsource_MISC
Impacted products
Vendor Product Version
n/a keycloak Version: Fixed in v15.1.0
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:01:08.129Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://issues.redhat.com/browse/KEYCLOAK-18500"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1978196"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2021-3632"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/keycloak/keycloak/pull/8203"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in v15.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287 - Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-26T15:25:41",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://issues.redhat.com/browse/KEYCLOAK-18500"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1978196"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2021-3632"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/keycloak/keycloak/pull/8203"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-3632",
    "datePublished": "2022-08-26T15:25:41",
    "dateReserved": "2021-07-01T00:00:00",
    "dateUpdated": "2024-08-03T17:01:08.129Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-44487 (GCVE-0-2023-44487)
Vulnerability from cvelistv5
Published
2023-10-10 00:00
Modified
2025-06-07 20:05
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • n/a
Summary
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
References
https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
https://news.ycombinator.com/item?id=37831062
https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
https://github.com/envoyproxy/envoy/pull/30055
https://github.com/haproxy/haproxy/issues/2312
https://github.com/eclipse/jetty.project/issues/10679
https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
https://github.com/nghttp2/nghttp2/pull/1961
https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
https://github.com/alibaba/tengine/issues/1872
https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
https://news.ycombinator.com/item?id=37830987
https://news.ycombinator.com/item?id=37830998
https://github.com/caddyserver/caddy/issues/5877
https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
https://github.com/bcdannyboy/CVE-2023-44487
https://github.com/grpc/grpc-go/pull/6703
https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
https://my.f5.com/manage/s/article/K000137106
https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
https://bugzilla.proxmox.com/show_bug.cgi?id=4988
https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
http://www.openwall.com/lists/oss-security/2023/10/10/7mailing-list
http://www.openwall.com/lists/oss-security/2023/10/10/6mailing-list
https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
https://github.com/microsoft/CBL-Mariner/pull/6381
https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
https://github.com/facebook/proxygen/pull/466
https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
https://github.com/micrictor/http2-rst-stream
https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/
https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
https://github.com/h2o/h2o/pull/3291
https://github.com/nodejs/node/pull/50121
https://github.com/dotnet/announcements/issues/277
https://github.com/golang/go/issues/63417
https://github.com/advisories/GHSA-vx74-f528-fxqg
https://github.com/apache/trafficserver/pull/10564
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
https://www.openwall.com/lists/oss-security/2023/10/10/6
https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
https://github.com/opensearch-project/data-prepper/issues/3474
https://github.com/kubernetes/kubernetes/pull/121120
https://github.com/oqtane/oqtane.framework/discussions/3367
https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
https://netty.io/news/2023/10/10/4-1-100-Final.html
https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/
https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
https://news.ycombinator.com/item?id=37837043
https://github.com/kazu-yamamoto/http2/issues/93
https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
https://www.debian.org/security/2023/dsa-5522vendor-advisory
https://www.debian.org/security/2023/dsa-5521vendor-advisory
https://access.redhat.com/security/cve/cve-2023-44487
https://github.com/ninenines/cowboy/issues/1615
https://github.com/varnishcache/varnish-cache/issues/3996
https://github.com/tempesta-tech/tempesta/issues/1986
https://blog.vespa.ai/cve-2023-44487/
https://github.com/etcd-io/etcd/issues/16740
https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
https://istio.io/latest/news/security/istio-security-2023-004/
https://github.com/junkurihara/rust-rpxy/issues/97
https://bugzilla.suse.com/show_bug.cgi?id=1216123
https://bugzilla.redhat.com/show_bug.cgi?id=2242803
https://ubuntu.com/security/CVE-2023-44487
https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
https://github.com/advisories/GHSA-qppj-fm5r-hxr3
https://github.com/apache/httpd-site/pull/10
https://github.com/projectcontour/contour/pull/5826
https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632
https://github.com/line/armeria/pull/5232
https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
https://security.paloaltonetworks.com/CVE-2023-44487
https://github.com/akka/akka-http/issues/4323
https://github.com/openresty/openresty/issues/930
https://github.com/apache/apisix/issues/10320
https://github.com/Azure/AKS/issues/3947
https://github.com/Kong/kong/discussions/11741
https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/
https://github.com/caddyserver/caddy/releases/tag/v2.7.5
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.htmlmailing-list
http://www.openwall.com/lists/oss-security/2023/10/13/4mailing-list
http://www.openwall.com/lists/oss-security/2023/10/13/9mailing-list
https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/vendor-advisory
https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
https://lists.debian.org/debian-lts-announce/2023/10/msg00023.htmlmailing-list
https://security.netapp.com/advisory/ntap-20231016-0001/
https://lists.debian.org/debian-lts-announce/2023/10/msg00024.htmlmailing-list
http://www.openwall.com/lists/oss-security/2023/10/18/4mailing-list
http://www.openwall.com/lists/oss-security/2023/10/18/8mailing-list
http://www.openwall.com/lists/oss-security/2023/10/19/6mailing-list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/vendor-advisory
http://www.openwall.com/lists/oss-security/2023/10/20/8mailing-list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/vendor-advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00045.htmlmailing-list
https://www.debian.org/security/2023/dsa-5540vendor-advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00047.htmlmailing-list
https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/vendor-advisory
https://lists.debian.org/debian-lts-announce/2023/11/msg00001.htmlmailing-list
https://www.debian.org/security/2023/dsa-5549vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/vendor-advisory
https://www.debian.org/security/2023/dsa-5558vendor-advisory
https://lists.debian.org/debian-lts-announce/2023/11/msg00012.htmlmailing-list
https://security.gentoo.org/glsa/202311-09vendor-advisory
https://www.debian.org/security/2023/dsa-5570vendor-advisory
https://security.netapp.com/advisory/ntap-20240426-0007/
https://security.netapp.com/advisory/ntap-20240621-0006/
https://security.netapp.com/advisory/ntap-20240621-0007/
https://github.com/grpc/grpc/releases/tag/v1.59.2
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:ietf:http:2.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "http",
            "vendor": "ietf",
            "versions": [
              {
                "status": "affected",
                "version": "2.0"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-44487",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-23T20:34:21.334116Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2023-10-10",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2023-44487"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-400",
                "description": "CWE-400 Uncontrolled Resource Consumption",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-23T20:35:03.253Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-19T07:48:04.546Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=37831062"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/envoyproxy/envoy/pull/30055"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/haproxy/haproxy/issues/2312"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/eclipse/jetty.project/issues/10679"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/nghttp2/nghttp2/pull/1961"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/alibaba/tengine/issues/1872"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=37830987"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=37830998"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/caddyserver/caddy/issues/5877"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/bcdannyboy/CVE-2023-44487"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/grpc/grpc-go/pull/6703"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://my.f5.com/manage/s/article/K000137106"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/microsoft/CBL-Mariner/pull/6381"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/facebook/proxygen/pull/466"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/micrictor/http2-rst-stream"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/h2o/h2o/pull/3291"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/nodejs/node/pull/50121"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/dotnet/announcements/issues/277"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/golang/go/issues/63417"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/apache/trafficserver/pull/10564"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/opensearch-project/data-prepper/issues/3474"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/kubernetes/kubernetes/pull/121120"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/oqtane/oqtane.framework/discussions/3367"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=37837043"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/kazu-yamamoto/http2/issues/93"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113"
          },
          {
            "name": "DSA-5522",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5522"
          },
          {
            "name": "DSA-5521",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5521"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/cve-2023-44487"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/ninenines/cowboy/issues/1615"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/varnishcache/varnish-cache/issues/3996"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/tempesta-tech/tempesta/issues/1986"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://blog.vespa.ai/cve-2023-44487/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/etcd-io/etcd/issues/16740"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://istio.io/latest/news/security/istio-security-2023-004/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/junkurihara/rust-rpxy/issues/97"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://ubuntu.com/security/CVE-2023-44487"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/apache/httpd-site/pull/10"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/projectcontour/contour/pull/5826"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/line/armeria/pull/5232"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.paloaltonetworks.com/CVE-2023-44487"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/akka/akka-http/issues/4323"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/openresty/openresty/issues/930"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/apache/apisix/issues/10320"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/Azure/AKS/issues/3947"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/Kong/kong/discussions/11741"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5"
          },
          {
            "name": "[debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"
          },
          {
            "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4"
          },
          {
            "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html"
          },
          {
            "name": "FEDORA-2023-ed2642fd58",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/"
          },
          {
            "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20231016-0001/"
          },
          {
            "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html"
          },
          {
            "name": "[oss-security] 20231018 Vulnerability in Jenkins",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4"
          },
          {
            "name": "[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
          },
          {
            "name": "[oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6"
          },
          {
            "name": "FEDORA-2023-54fadada12",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/"
          },
          {
            "name": "FEDORA-2023-5ff7bf1dd8",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/"
          },
          {
            "name": "[oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8"
          },
          {
            "name": "FEDORA-2023-17efd3f2cd",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/"
          },
          {
            "name": "FEDORA-2023-d5030c983c",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"
          },
          {
            "name": "FEDORA-2023-0259c3f26f",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/"
          },
          {
            "name": "FEDORA-2023-2a9214af5f",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/"
          },
          {
            "name": "FEDORA-2023-e9c04d81c1",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"
          },
          {
            "name": "FEDORA-2023-f66fc0f62a",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"
          },
          {
            "name": "FEDORA-2023-4d2fd884ea",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"
          },
          {
            "name": "FEDORA-2023-b2c50535cb",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/"
          },
          {
            "name": "FEDORA-2023-fe53e13b5b",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
          },
          {
            "name": "FEDORA-2023-4bf641255e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
          },
          {
            "name": "[debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"
          },
          {
            "name": "DSA-5540",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5540"
          },
          {
            "name": "[debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715"
          },
          {
            "name": "FEDORA-2023-1caffb88af",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/"
          },
          {
            "name": "FEDORA-2023-3f70b8d406",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/"
          },
          {
            "name": "FEDORA-2023-7b52921cae",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"
          },
          {
            "name": "FEDORA-2023-7934802344",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/"
          },
          {
            "name": "FEDORA-2023-dbe64661af",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"
          },
          {
            "name": "FEDORA-2023-822aab0a5a",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
          },
          {
            "name": "[debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html"
          },
          {
            "name": "DSA-5549",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5549"
          },
          {
            "name": "FEDORA-2023-c0c6a91330",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/"
          },
          {
            "name": "FEDORA-2023-492b7be466",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/"
          },
          {
            "name": "DSA-5558",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5558"
          },
          {
            "name": "[debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html"
          },
          {
            "name": "GLSA-202311-09",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202311-09"
          },
          {
            "name": "DSA-5570",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5570"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240426-0007/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-07T20:05:34.376Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73"
        },
        {
          "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
        },
        {
          "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/"
        },
        {
          "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"
        },
        {
          "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
        },
        {
          "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
        },
        {
          "url": "https://news.ycombinator.com/item?id=37831062"
        },
        {
          "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
        },
        {
          "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"
        },
        {
          "url": "https://github.com/envoyproxy/envoy/pull/30055"
        },
        {
          "url": "https://github.com/haproxy/haproxy/issues/2312"
        },
        {
          "url": "https://github.com/eclipse/jetty.project/issues/10679"
        },
        {
          "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"
        },
        {
          "url": "https://github.com/nghttp2/nghttp2/pull/1961"
        },
        {
          "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61"
        },
        {
          "url": "https://github.com/alibaba/tengine/issues/1872"
        },
        {
          "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2"
        },
        {
          "url": "https://news.ycombinator.com/item?id=37830987"
        },
        {
          "url": "https://news.ycombinator.com/item?id=37830998"
        },
        {
          "url": "https://github.com/caddyserver/caddy/issues/5877"
        },
        {
          "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/"
        },
        {
          "url": "https://github.com/bcdannyboy/CVE-2023-44487"
        },
        {
          "url": "https://github.com/grpc/grpc-go/pull/6703"
        },
        {
          "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244"
        },
        {
          "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
        },
        {
          "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
        },
        {
          "url": "https://my.f5.com/manage/s/article/K000137106"
        },
        {
          "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/"
        },
        {
          "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988"
        },
        {
          "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"
        },
        {
          "name": "[oss-security] 20231010 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2023/10/10/7"
        },
        {
          "name": "[oss-security] 20231010 CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2023/10/10/6"
        },
        {
          "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"
        },
        {
          "url": "https://github.com/microsoft/CBL-Mariner/pull/6381"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
        },
        {
          "url": "https://github.com/facebook/proxygen/pull/466"
        },
        {
          "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088"
        },
        {
          "url": "https://github.com/micrictor/http2-rst-stream"
        },
        {
          "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve"
        },
        {
          "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/"
        },
        {
          "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"
        },
        {
          "url": "https://github.com/h2o/h2o/pull/3291"
        },
        {
          "url": "https://github.com/nodejs/node/pull/50121"
        },
        {
          "url": "https://github.com/dotnet/announcements/issues/277"
        },
        {
          "url": "https://github.com/golang/go/issues/63417"
        },
        {
          "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg"
        },
        {
          "url": "https://github.com/apache/trafficserver/pull/10564"
        },
        {
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"
        },
        {
          "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14"
        },
        {
          "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6"
        },
        {
          "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"
        },
        {
          "url": "https://github.com/opensearch-project/data-prepper/issues/3474"
        },
        {
          "url": "https://github.com/kubernetes/kubernetes/pull/121120"
        },
        {
          "url": "https://github.com/oqtane/oqtane.framework/discussions/3367"
        },
        {
          "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"
        },
        {
          "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html"
        },
        {
          "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
        },
        {
          "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
        },
        {
          "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"
        },
        {
          "url": "https://news.ycombinator.com/item?id=37837043"
        },
        {
          "url": "https://github.com/kazu-yamamoto/http2/issues/93"
        },
        {
          "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html"
        },
        {
          "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1"
        },
        {
          "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113"
        },
        {
          "name": "DSA-5522",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2023/dsa-5522"
        },
        {
          "name": "DSA-5521",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2023/dsa-5521"
        },
        {
          "url": "https://access.redhat.com/security/cve/cve-2023-44487"
        },
        {
          "url": "https://github.com/ninenines/cowboy/issues/1615"
        },
        {
          "url": "https://github.com/varnishcache/varnish-cache/issues/3996"
        },
        {
          "url": "https://github.com/tempesta-tech/tempesta/issues/1986"
        },
        {
          "url": "https://blog.vespa.ai/cve-2023-44487/"
        },
        {
          "url": "https://github.com/etcd-io/etcd/issues/16740"
        },
        {
          "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"
        },
        {
          "url": "https://istio.io/latest/news/security/istio-security-2023-004/"
        },
        {
          "url": "https://github.com/junkurihara/rust-rpxy/issues/97"
        },
        {
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
        },
        {
          "url": "https://ubuntu.com/security/CVE-2023-44487"
        },
        {
          "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125"
        },
        {
          "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3"
        },
        {
          "url": "https://github.com/apache/httpd-site/pull/10"
        },
        {
          "url": "https://github.com/projectcontour/contour/pull/5826"
        },
        {
          "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632"
        },
        {
          "url": "https://github.com/line/armeria/pull/5232"
        },
        {
          "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/"
        },
        {
          "url": "https://security.paloaltonetworks.com/CVE-2023-44487"
        },
        {
          "url": "https://github.com/akka/akka-http/issues/4323"
        },
        {
          "url": "https://github.com/openresty/openresty/issues/930"
        },
        {
          "url": "https://github.com/apache/apisix/issues/10320"
        },
        {
          "url": "https://github.com/Azure/AKS/issues/3947"
        },
        {
          "url": "https://github.com/Kong/kong/discussions/11741"
        },
        {
          "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487"
        },
        {
          "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/"
        },
        {
          "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5"
        },
        {
          "name": "[debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"
        },
        {
          "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4"
        },
        {
          "name": "[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9"
        },
        {
          "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/"
        },
        {
          "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html"
        },
        {
          "name": "FEDORA-2023-ed2642fd58",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/"
        },
        {
          "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/"
        },
        {
          "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20231016-0001/"
        },
        {
          "name": "[debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html"
        },
        {
          "name": "[oss-security] 20231018 Vulnerability in Jenkins",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4"
        },
        {
          "name": "[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
        },
        {
          "name": "[oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6"
        },
        {
          "name": "FEDORA-2023-54fadada12",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/"
        },
        {
          "name": "FEDORA-2023-5ff7bf1dd8",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/"
        },
        {
          "name": "[oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8"
        },
        {
          "name": "FEDORA-2023-17efd3f2cd",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/"
        },
        {
          "name": "FEDORA-2023-d5030c983c",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"
        },
        {
          "name": "FEDORA-2023-0259c3f26f",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/"
        },
        {
          "name": "FEDORA-2023-2a9214af5f",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/"
        },
        {
          "name": "FEDORA-2023-e9c04d81c1",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"
        },
        {
          "name": "FEDORA-2023-f66fc0f62a",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"
        },
        {
          "name": "FEDORA-2023-4d2fd884ea",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"
        },
        {
          "name": "FEDORA-2023-b2c50535cb",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/"
        },
        {
          "name": "FEDORA-2023-fe53e13b5b",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
        },
        {
          "name": "FEDORA-2023-4bf641255e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
        },
        {
          "name": "[debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"
        },
        {
          "name": "DSA-5540",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2023/dsa-5540"
        },
        {
          "name": "[debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html"
        },
        {
          "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715"
        },
        {
          "name": "FEDORA-2023-1caffb88af",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/"
        },
        {
          "name": "FEDORA-2023-3f70b8d406",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/"
        },
        {
          "name": "FEDORA-2023-7b52921cae",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"
        },
        {
          "name": "FEDORA-2023-7934802344",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/"
        },
        {
          "name": "FEDORA-2023-dbe64661af",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"
        },
        {
          "name": "FEDORA-2023-822aab0a5a",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
        },
        {
          "name": "[debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html"
        },
        {
          "name": "DSA-5549",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2023/dsa-5549"
        },
        {
          "name": "FEDORA-2023-c0c6a91330",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/"
        },
        {
          "name": "FEDORA-2023-492b7be466",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/"
        },
        {
          "name": "DSA-5558",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2023/dsa-5558"
        },
        {
          "name": "[debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html"
        },
        {
          "name": "GLSA-202311-09",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202311-09"
        },
        {
          "name": "DSA-5570",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2023/dsa-5570"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240426-0007/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"
        },
        {
          "url": "https://github.com/grpc/grpc/releases/tag/v1.59.2"
        },
        {
          "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-44487",
    "datePublished": "2023-10-10T00:00:00.000Z",
    "dateReserved": "2023-09-29T00:00:00.000Z",
    "dateUpdated": "2025-06-07T20:05:34.376Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-10174 (GCVE-0-2019-10174)
Vulnerability from cvelistv5
Published
2019-11-25 10:26
Modified
2024-08-04 22:10
Severity ?
7.5 (High) - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
Summary
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2020:0481vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2020:0727vendor-advisory, x_refsource_REDHAT
https://security.netapp.com/advisory/ntap-20220210-0018/x_refsource_CONFIRM
Impacted products
Vendor Product Version
[UNKNOWN] infinispan Version: 10.0.0.Final
Version: 9.4.17.Final
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:10:10.097Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174"
          },
          {
            "name": "RHSA-2020:0481",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0481"
          },
          {
            "name": "RHSA-2020:0727",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0727"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220210-0018/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "infinispan",
          "vendor": "[UNKNOWN]",
          "versions": [
            {
              "status": "affected",
              "version": "10.0.0.Final"
            },
            {
              "status": "affected",
              "version": "9.4.17.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan\u0027s privileges. The attacker can use reflection to introduce new, malicious behavior into the application."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-470",
              "description": "CWE-470",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-10T09:06:27",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174"
        },
        {
          "name": "RHSA-2020:0481",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0481"
        },
        {
          "name": "RHSA-2020:0727",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0727"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220210-0018/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-10174",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "infinispan",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "10.0.0.Final"
                          },
                          {
                            "version_value": "9.4.17.Final"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "[UNKNOWN]"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan\u0027s privileges. The attacker can use reflection to introduce new, malicious behavior into the application."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "7.5/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-470"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174"
            },
            {
              "name": "RHSA-2020:0481",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0481"
            },
            {
              "name": "RHSA-2020:0727",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0727"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220210-0018/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220210-0018/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-10174",
    "datePublished": "2019-11-25T10:26:16",
    "dateReserved": "2019-03-27T00:00:00",
    "dateUpdated": "2024-08-04T22:10:10.097Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-3827 (GCVE-0-2021-3827)
Vulnerability from cvelistv5
Published
2022-08-23 15:52
Modified
2024-08-03 17:09
Severity ?
CWE
  • CWE-287 - - Improper Authentication
Summary
A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity.
References
https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3vx_refsource_MISC
https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0dx_refsource_MISC
https://bugzilla.redhat.com/show_bug.cgi?id=2007512x_refsource_MISC
https://access.redhat.com/security/cve/CVE-2021-3827x_refsource_MISC
Impacted products
Vendor Product Version
n/a keycloak Version: Fixed in v18.0.0
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:09:09.546Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0d"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007512"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2021-3827"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in v18.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user\u0027s credentials. The highest threat from this vulnerability is to confidentiality and integrity."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287 - Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-23T15:52:50",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0d"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007512"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2021-3827"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2021-3827",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Fixed in v18.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user\u0027s credentials. The highest threat from this vulnerability is to confidentiality and integrity."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-287 - Improper Authentication"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v",
              "refsource": "MISC",
              "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v"
            },
            {
              "name": "https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0d",
              "refsource": "MISC",
              "url": "https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0d"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2007512",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007512"
            },
            {
              "name": "https://access.redhat.com/security/cve/CVE-2021-3827",
              "refsource": "MISC",
              "url": "https://access.redhat.com/security/cve/CVE-2021-3827"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-3827",
    "datePublished": "2022-08-23T15:52:50",
    "dateReserved": "2021-09-24T00:00:00",
    "dateUpdated": "2024-08-03T17:09:09.546Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-1717 (GCVE-0-2020-1717)
Vulnerability from cvelistv5
Published
2021-02-11 15:27
Modified
2024-08-04 06:46
Severity ?
CWE
Summary
A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1796281x_refsource_MISC
https://issues.jboss.org/browse/KEYCLOAK-12014x_refsource_MISC
Impacted products
Vendor Product Version
n/a keycloak Version: keycloak 7.0.1
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T06:46:29.996Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796281"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://issues.jboss.org/browse/KEYCLOAK-12014"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "keycloak 7.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "CWE-209",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-11T15:27:07",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796281"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://issues.jboss.org/browse/KEYCLOAK-12014"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-1717",
    "datePublished": "2021-02-11T15:27:07",
    "dateReserved": "2019-11-27T00:00:00",
    "dateUpdated": "2024-08-04T06:46:29.996Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-2237 (GCVE-0-2022-2237)
Vulnerability from cvelistv5
Published
2023-03-27 00:00
Modified
2025-02-24 19:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE
Summary
A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function.
References
https://bugzilla.redhat.com/show_bug.cgi?id=2097007
Impacted products
Vendor Product Version
n/a Keycloak Version: unknown
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:32:09.552Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-2237",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-24T19:14:56.710280Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-24T19:15:29.345Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Keycloak",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "unknown"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-27T00:00:00.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-2237",
    "datePublished": "2023-03-27T00:00:00.000Z",
    "dateReserved": "2022-06-28T00:00:00.000Z",
    "dateUpdated": "2025-02-24T19:15:29.345Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-14820 (GCVE-0-2019-14820)
Vulnerability from cvelistv5
Published
2020-01-08 14:50
Modified
2024-08-05 00:26
Severity ?
4.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE
Summary
It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14820x_refsource_CONFIRM
Impacted products
Vendor Product Version
keycloak keycloak Version: fixed in 8.0.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:26:39.126Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14820"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "keycloak",
          "versions": [
            {
              "status": "affected",
              "version": "fixed in 8.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-01-08T14:50:44",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14820"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-14820",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "fixed in 8.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "keycloak"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "4.3/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14820",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14820"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-14820",
    "datePublished": "2020-01-08T14:50:44",
    "dateReserved": "2019-08-10T00:00:00",
    "dateUpdated": "2024-08-05T00:26:39.126Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-1278 (GCVE-0-2022-1278)
Vulnerability from cvelistv5
Published
2022-09-13 13:38
Modified
2024-08-02 23:55
Severity ?
CWE
Summary
A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.
References
https://bugzilla.redhat.com/show_bug.cgi?id=2073401x_refsource_MISC
Impacted products
Vendor Product Version
n/a WildFly Version: no fixed versions known
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:55:24.610Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "WildFly",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "no fixed versions known"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1188",
              "description": "CWE-1188",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-13T13:38:02",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-1278",
    "datePublished": "2022-09-13T13:38:02",
    "dateReserved": "2022-04-08T00:00:00",
    "dateUpdated": "2024-08-02T23:55:24.610Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-3859 (GCVE-0-2021-3859)
Vulnerability from cvelistv5
Published
2022-08-26 00:00
Modified
2024-08-03 17:09
Severity ?
CWE
  • CWE-214 - - Invocation of Process Using Visible Sensitive Information
Summary
A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.
References
https://bugzilla.redhat.com/show_bug.cgi?id=2010378
https://issues.redhat.com/browse/UNDERTOW-1979
https://github.com/undertow-io/undertow/pull/1296
https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2
https://access.redhat.com/security/cve/CVE-2021-3859
https://security.netapp.com/advisory/ntap-20221201-0004/
Impacted products
Vendor Product Version
n/a undertow Version: Fixed in 2.2.15.Final
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:09:09.581Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://issues.redhat.com/browse/UNDERTOW-1979"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/undertow-io/undertow/pull/1296"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2021-3859"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20221201-0004/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "undertow",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in 2.2.15.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-214",
              "description": "CWE-214 - Invocation of Process Using Visible Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-02T00:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2010378"
        },
        {
          "url": "https://issues.redhat.com/browse/UNDERTOW-1979"
        },
        {
          "url": "https://github.com/undertow-io/undertow/pull/1296"
        },
        {
          "url": "https://github.com/undertow-io/undertow/commit/e43f0ada3f4da6e8579e0020cec3cb1a81e487c2"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2021-3859"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20221201-0004/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-3859",
    "datePublished": "2022-08-26T00:00:00",
    "dateReserved": "2021-10-05T00:00:00",
    "dateUpdated": "2024-08-03T17:09:09.581Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-3223 (GCVE-0-2023-3223)
Vulnerability from cvelistv5
Published
2023-09-27 13:54
Modified
2024-08-02 06:48
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-789 - Memory Allocation with Excessive Size Value
Summary
A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.
References
https://access.redhat.com/errata/RHSA-2023:4505vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:4506vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:4507vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:4509vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:4918vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:4919vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:4920vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:4921vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:4924vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7247vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-3223vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2209689issue-tracking, x_refsource_REDHAT
https://security.netapp.com/advisory/ntap-20231027-0004/
Impacted products
Vendor Product Version
Red Hat Red Hat Fuse 7.12.1     cpe:/a:redhat:jboss_fuse:7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1.0     cpe:/a:redhat:jboss_enterprise_application_platform:7.4
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Unaffected: 0:2.2.25-3.SP3_redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Unaffected: 0:2.2.25-3.SP3_redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Unaffected: 0:2.2.25-3.SP3_redhat_00001.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6.5     cpe:/a:redhat:red_hat_single_sign_on:7.6.5
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.9-1.redhat_00001.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.9-1.redhat_00001.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.9-1.redhat_00001.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-27   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
   Red Hat Red Hat build of Quarkus     cpe:/a:redhat:quarkus:2
 Create a notification for this product.
   Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
 Create a notification for this product.
   Red Hat Red Hat Decision Manager 7     cpe:/a:redhat:jboss_enterprise_brms_platform:7
 Create a notification for this product.
   Red Hat Red Hat Integration Camel K     cpe:/a:redhat:integration:1
 Create a notification for this product.
   Red Hat Red Hat Integration Service Registry     cpe:/a:redhat:service_registry:2
 Create a notification for this product.
   Red Hat Red Hat JBoss Data Grid 7     cpe:/a:redhat:jboss_data_grid:7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
 Create a notification for this product.
   Red Hat Red Hat JBoss Fuse 6     cpe:/a:redhat:jboss_fuse:6
 Create a notification for this product.
   Red Hat Red Hat OpenStack Platform 13 (Queens) Operational Tools     cpe:/a:redhat:openstack-optools:13
 Create a notification for this product.
   Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
 Create a notification for this product.
   Red Hat Red Hat support for Spring Boot     cpe:/a:redhat:openshift_application_runtimes:1.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-3223",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-13T20:07:40.554787Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-13T20:07:46.970Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:48:07.955Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2023:4505",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:4505"
          },
          {
            "name": "RHSA-2023:4506",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:4506"
          },
          {
            "name": "RHSA-2023:4507",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:4507"
          },
          {
            "name": "RHSA-2023:4509",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:4509"
          },
          {
            "name": "RHSA-2023:4918",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:4918"
          },
          {
            "name": "RHSA-2023:4919",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:4919"
          },
          {
            "name": "RHSA-2023:4920",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:4920"
          },
          {
            "name": "RHSA-2023:4921",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:4921"
          },
          {
            "name": "RHSA-2023:4924",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:4924"
          },
          {
            "name": "RHSA-2023:7247",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7247"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-3223"
          },
          {
            "name": "RHBZ#2209689",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209689"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20231027-0004/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat Fuse 7.12.1",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1.0",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.25-3.SP3_redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.25-3.SP3_redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.25-3.SP3_redhat_00001.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6.5"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat Single Sign-On 7.6.5",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.9-1.redhat_00001.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.9-1.redhat_00001.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.9-1.redhat_00001.1.el9sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-27",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:2"
          ],
          "defaultStatus": "unaffected",
          "packageName": "io.quarkus/quarkus-undertow",
          "product": "Red Hat build of Quarkus",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat Data Grid 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat Decision Manager 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:integration:1"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat Integration Camel K",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:service_registry:2"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat Integration Service Registry",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "undertow",
          "product": "Red Hat JBoss Data Grid 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jbosseapxp"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "undertow",
          "product": "Red Hat JBoss Fuse 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack-optools:13"
          ],
          "defaultStatus": "unknown",
          "packageName": "undertow",
          "product": "Red Hat OpenStack Platform 13 (Queens) Operational Tools",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat Process Automation 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_application_runtimes:1.0"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat support for Spring Boot",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Keke Lian \u0026 Haoran Zhao (SecSys Lab) for reporting this issue."
        }
      ],
      "datePublic": "2023-08-07T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it\u0027s possible to bypass the limit by setting the file name in the request to null."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-03T15:32:37.244Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:4505",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:4505"
        },
        {
          "name": "RHSA-2023:4506",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:4506"
        },
        {
          "name": "RHSA-2023:4507",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:4507"
        },
        {
          "name": "RHSA-2023:4509",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:4509"
        },
        {
          "name": "RHSA-2023:4918",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:4918"
        },
        {
          "name": "RHSA-2023:4919",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:4919"
        },
        {
          "name": "RHSA-2023:4920",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:4920"
        },
        {
          "name": "RHSA-2023:4921",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:4921"
        },
        {
          "name": "RHSA-2023:4924",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:4924"
        },
        {
          "name": "RHSA-2023:7247",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7247"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-3223"
        },
        {
          "name": "RHBZ#2209689",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209689"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20231027-0004/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-05-24T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-08-07T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Undertow: outofmemoryerror due to @multipartconfig handling",
      "x_redhatCweChain": "CWE-789: Memory Allocation with Excessive Size Value"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-3223",
    "datePublished": "2023-09-27T13:54:44.682Z",
    "dateReserved": "2023-06-13T15:50:40.922Z",
    "dateUpdated": "2024-08-02T06:48:07.955Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-1635 (GCVE-0-2024-1635)
Vulnerability from cvelistv5
Published
2024-02-19 21:23
Modified
2025-07-08 05:11
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Summary
A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.
References
https://access.redhat.com/errata/RHSA-2024:1674vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1675vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1676vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1677vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1860vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1861vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1862vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1864vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1866vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3354vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:4884vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2025:4226vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2025:9583vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-1635vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2264928issue-tracking, x_refsource_REDHAT
Impacted products
Vendor Product Version
Version: 1.31.0
 Create a notification for this product.
   Red Hat Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2     cpe:/a:redhat:apache_camel_spring_boot:4.4::el6
 Create a notification for this product.
   Red Hat Red Hat Fuse 7.13.0     cpe:/a:redhat:jboss_fuse:7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7     cpe:/a:redhat:jboss_enterprise_application_platform:7.4
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:1.5.5.016-1.redhat_00001.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 1:1.5.5.016-1.redhat_00001.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:3.5.11-1.Final_redhat_00001.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:1.14.2-1.redhat_00002.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:1.4.18-14.SP13_redhat_00001.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:7.1.10-2.GA_redhat_00002.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:5.0.3-2.redhat_00002.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:2.0.10-2.redhat_00002.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:2.10.4-3.redhat_00006.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:2.10.4-3.redhat_00006.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:2.10.4-5.redhat_00006.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:2.10.4-3.redhat_00006.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:2.10.4-5.redhat_00006.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:2.10.4-2.redhat_00006.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:1.7.2-16.Final_redhat_00017.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:4.1.63-5.Final_redhat_00003.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:2.0.41-4.SP5_redhat_00001.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:7.3.14-3.GA_redhat_00002.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:1.10.17-1.Final_redhat_00001.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Unaffected: 0:2.2.30-1.SP1_redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Unaffected: 0:2.2.30-1.SP1_redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Unaffected: 0:2.2.30-1.SP1_redhat_00001.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.13-1.redhat_00001.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.13-1.redhat_00001.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.13-1.redhat_00001.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-46   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
   Red Hat RHSSO 7.6.8     cpe:/a:redhat:red_hat_single_sign_on:7.6
 Create a notification for this product.
   Red Hat OpenShift Serverless     cpe:/a:redhat:serverless:1
 Create a notification for this product.
   Red Hat Red Hat build of Apache Camel 4 for Quarkus 3     cpe:/a:redhat:camel_quarkus:3
 Create a notification for this product.
   Red Hat Red Hat build of Apache Camel for Spring Boot 3     cpe:/a:redhat:camel_spring_boot:3
 Create a notification for this product.
   Red Hat Red Hat build of Apache Camel for Spring Boot 4     cpe:/a:redhat:camel_spring_boot:4
 Create a notification for this product.
   Red Hat Red Hat build of Apicurio Registry 2     cpe:/a:redhat:service_registry:2
 Create a notification for this product.
   Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
 Create a notification for this product.
   Red Hat Red Hat build of OptaPlanner 8     cpe:/a:redhat:optaplanner:::el6
 Create a notification for this product.
   Red Hat Red Hat build of Quarkus     cpe:/a:redhat:quarkus:3
 Create a notification for this product.
   Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
 Create a notification for this product.
   Red Hat Red Hat Integration Camel K 1     cpe:/a:redhat:integration:1
 Create a notification for this product.
   Red Hat Red Hat Integration Camel Quarkus 2     cpe:/a:redhat:camel_quarkus:2
 Create a notification for this product.
   Red Hat Red Hat JBoss Data Grid 7     cpe:/a:redhat:jboss_data_grid:7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
 Create a notification for this product.
   Red Hat Red Hat JBoss Fuse Service Works 6     cpe:/a:redhat:jboss_fuse_service_works:6
 Create a notification for this product.
   Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
 Create a notification for this product.
   Red Hat streams for Apache Kafka     cpe:/a:redhat:amq_streams:1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-1635",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-22T16:54:05.178381Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-05T13:50:19.172Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T18:48:21.580Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2024:1674",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1674"
          },
          {
            "name": "RHSA-2024:1675",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1675"
          },
          {
            "name": "RHSA-2024:1676",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1676"
          },
          {
            "name": "RHSA-2024:1677",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1677"
          },
          {
            "name": "RHSA-2024:1860",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1860"
          },
          {
            "name": "RHSA-2024:1861",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1861"
          },
          {
            "name": "RHSA-2024:1862",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1862"
          },
          {
            "name": "RHSA-2024:1864",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1864"
          },
          {
            "name": "RHSA-2024:1866",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1866"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2024-1635"
          },
          {
            "name": "RHBZ#2264928",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264928"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240322-0007/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/undertow-io/undertow",
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "versions": [
            {
              "status": "affected",
              "version": "1.31.0"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:apache_camel_spring_boot:4.4::el6"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat build of Apache Camel 4.4.1 for Spring Boot 3.2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse:7"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat Fuse 7.13.0",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow-core",
          "product": "Red Hat JBoss Enterprise Application Platform 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-activemq-artemis",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.5.5.016-1.redhat_00001.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-artemis-native",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1:1.5.5.016-1.redhat_00001.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-jboss-xnio-base",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.5.11-1.Final_redhat_00001.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-jsoup",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.14.2-1.redhat_00002.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.4.18-14.SP13_redhat_00001.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-wildfly",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:7.1.10-2.GA_redhat_00002.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-woodstox-core",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:5.0.3-2.redhat_00002.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-xml-security",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.0.10-2.redhat_00002.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-jackson-annotations",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.10.4-3.redhat_00006.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-jackson-core",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.10.4-3.redhat_00006.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-jackson-databind",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.10.4-5.redhat_00006.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-jackson-jaxrs-providers",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.10.4-3.redhat_00006.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-jackson-modules-base",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.10.4-5.redhat_00006.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-jackson-modules-java8",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.10.4-2.redhat_00006.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-jboss-server-migration",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.7.2-16.Final_redhat_00017.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-netty",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.1.63-5.Final_redhat_00003.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.0.41-4.SP5_redhat_00001.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-wildfly",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:7.3.14-3.GA_redhat_00002.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-wildfly-elytron",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.10.17-1.Final_redhat_00001.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.30-1.SP1_redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.30-1.SP1_redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.30-1.SP1_redhat_00001.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.13-1.redhat_00001.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.13-1.redhat_00001.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.13-1.redhat_00001.1.el9sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-46",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "RHSSO 7.6.8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:serverless:1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "OpenShift Serverless",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:camel_quarkus:3"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat build of Apache Camel 4 for Quarkus 3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:camel_spring_boot:3"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat build of Apache Camel for Spring Boot 3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:camel_spring_boot:4"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat build of Apache Camel for Spring Boot 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:service_registry:2"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat build of Apicurio Registry 2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat Build of Keycloak",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:optaplanner:::el6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat build of OptaPlanner 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:3"
          ],
          "defaultStatus": "unaffected",
          "packageName": "io.quarkus/quarkus-undertow",
          "product": "Red Hat build of Quarkus",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat Data Grid 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:integration:1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat Integration Camel K 1",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:camel_quarkus:2"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat Integration Camel Quarkus 2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "undertow",
          "product": "Red Hat JBoss Data Grid 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow-core",
          "product": "Red Hat JBoss Enterprise Application Platform 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse_service_works:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "undertow",
          "product": "Red Hat JBoss Fuse Service Works 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat Process Automation 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:amq_streams:1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "streams for Apache Kafka",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2023-10-27T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. \r\n\r\nAt HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-08T05:11:08.499Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2024:1674",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1674"
        },
        {
          "name": "RHSA-2024:1675",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1675"
        },
        {
          "name": "RHSA-2024:1676",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1676"
        },
        {
          "name": "RHSA-2024:1677",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1677"
        },
        {
          "name": "RHSA-2024:1860",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1860"
        },
        {
          "name": "RHSA-2024:1861",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1861"
        },
        {
          "name": "RHSA-2024:1862",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1862"
        },
        {
          "name": "RHSA-2024:1864",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1864"
        },
        {
          "name": "RHSA-2024:1866",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1866"
        },
        {
          "name": "RHSA-2024:3354",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:3354"
        },
        {
          "name": "RHSA-2024:4884",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:4884"
        },
        {
          "name": "RHSA-2025:4226",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:4226"
        },
        {
          "name": "RHSA-2025:9583",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:9583"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-1635"
        },
        {
          "name": "RHBZ#2264928",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264928"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-02-19T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-10-27T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Undertow: out-of-memory error after several closed connections with wildfly-http-client protocol",
      "workarounds": [
        {
          "lang": "en",
          "value": "No mitigation is currently available for this vulnerability. However, there might be some protections, such as request limits by a load balancer in front of JBoss EAP/Wildfly or even Undertow, that could minimize the impact."
        }
      ],
      "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-1635",
    "datePublished": "2024-02-19T21:23:14.496Z",
    "dateReserved": "2024-02-19T17:25:58.418Z",
    "dateUpdated": "2025-07-08T05:11:08.499Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-10748 (GCVE-0-2020-10748)
Vulnerability from cvelistv5
Published
2020-09-16 17:56
Modified
2024-08-04 11:14
Severity ?
CWE
Summary
A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1836786x_refsource_MISC
Impacted products
Vendor Product Version
n/a keycloak Version: keycloak 10.0.1
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:14:14.917Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1836786"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "keycloak 10.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak\u0027s data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-09-16T17:56:07",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1836786"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-10748",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "keycloak 10.0.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in Keycloak\u0027s data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1836786",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1836786"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-10748",
    "datePublished": "2020-09-16T17:56:07",
    "dateReserved": "2020-03-20T00:00:00",
    "dateUpdated": "2024-08-04T11:14:14.917Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-6927 (GCVE-0-2023-6927)
Vulnerability from cvelistv5
Published
2023-12-18 22:59
Modified
2024-11-23 03:46
Severity ?
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CWE
  • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Summary
A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134.
References
https://access.redhat.com/errata/RHSA-2024:0094vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0095vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0096vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0097vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0098vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0100vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0101vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0798vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0799vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0800vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0801vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0804vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-6927vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2255027issue-tracking, x_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat Red Hat build of Keycloak 22 Unaffected: 22-7   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22.0.8     cpe:/a:redhat:build_keycloak:22
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7.6
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.11-3.redhat_00001.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.12-1.redhat_00001.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.11-3.redhat_00001.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.12-1.redhat_00001.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.11-3.redhat_00001.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.12-1.redhat_00001.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-39   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-41   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
   Red Hat Single Sign-On 7.6.6     cpe:/a:redhat:red_hat_single_sign_on:7.6.6
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:42:08.664Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2024:0094",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0094"
          },
          {
            "name": "RHSA-2024:0095",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0095"
          },
          {
            "name": "RHSA-2024:0096",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0096"
          },
          {
            "name": "RHSA-2024:0097",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0097"
          },
          {
            "name": "RHSA-2024:0098",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0098"
          },
          {
            "name": "RHSA-2024:0100",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0100"
          },
          {
            "name": "RHSA-2024:0101",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0101"
          },
          {
            "name": "RHSA-2024:0798",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0798"
          },
          {
            "name": "RHSA-2024:0799",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0799"
          },
          {
            "name": "RHSA-2024:0800",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0800"
          },
          {
            "name": "RHSA-2024:0801",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0801"
          },
          {
            "name": "RHSA-2024:0804",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0804"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-6927"
          },
          {
            "name": "RHBZ#2255027",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255027"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22-7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak-core",
          "product": "Red Hat build of Keycloak 22.0.8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak-core",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.11-3.redhat_00001.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.12-1.redhat_00001.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.11-3.redhat_00001.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.12-1.redhat_00001.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.11-3.redhat_00001.1.el9sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.12-1.redhat_00001.1.el9sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-39",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-41",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6.6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak-core",
          "product": "Single Sign-On 7.6.6",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Pontus Hanssen (Pontus.Hanssen@omegapoint.se) for reporting this issue."
        }
      ],
      "datePublic": "2023-12-18T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode \"form_post.jwt\" which could be used to bypass the security patch implemented to address CVE-2023-6134."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-23T03:46:21.703Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2024:0094",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0094"
        },
        {
          "name": "RHSA-2024:0095",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0095"
        },
        {
          "name": "RHSA-2024:0096",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0096"
        },
        {
          "name": "RHSA-2024:0097",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0097"
        },
        {
          "name": "RHSA-2024:0098",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0098"
        },
        {
          "name": "RHSA-2024:0100",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0100"
        },
        {
          "name": "RHSA-2024:0101",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0101"
        },
        {
          "name": "RHSA-2024:0798",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0798"
        },
        {
          "name": "RHSA-2024:0799",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0799"
        },
        {
          "name": "RHSA-2024:0800",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0800"
        },
        {
          "name": "RHSA-2024:0801",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0801"
        },
        {
          "name": "RHSA-2024:0804",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0804"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-6927"
        },
        {
          "name": "RHBZ#2255027",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255027"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-12-18T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-12-18T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: open redirect via \"form_post.jwt\" jarm response mode",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_redhatCweChain": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-6927",
    "datePublished": "2023-12-18T22:59:07.495Z",
    "dateReserved": "2023-12-18T15:44:40.245Z",
    "dateUpdated": "2024-11-23T03:46:21.703Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-10719 (GCVE-0-2020-10719)
Vulnerability from cvelistv5
Published
2020-05-26 14:57
Modified
2024-08-04 11:14
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE
Summary
A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20220210-0014/x_refsource_CONFIRM
Impacted products
Vendor Product Version
Red Hat undertow Version: Versions before 2.1.1.Final
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:14:14.887Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220210-0014/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "undertow",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "Versions before 2.1.1.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-10T09:06:56",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220210-0014/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-10719",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "undertow",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Versions before 2.1.1.Final"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Red Hat"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "6.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-444"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220210-0014/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220210-0014/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-10719",
    "datePublished": "2020-05-26T14:57:51",
    "dateReserved": "2020-03-20T00:00:00",
    "dateUpdated": "2024-08-04T11:14:14.887Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-14885 (GCVE-0-2019-14885)
Vulnerability from cvelistv5
Published
2020-01-23 00:00
Modified
2024-08-05 00:26
Severity ?
5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE
Summary
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14885
Impacted products
Vendor Product Version
Red Hat JBoss EAP Version: All versions before 7.2.6.GA
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:26:39.249Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14885"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "JBoss EAP",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "All versions before 7.2.6.GA"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property\u0027s security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI \u0027reload\u0027 command. This flaw can lead to the exposure of confidential information."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-07T00:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14885"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-14885",
    "datePublished": "2020-01-23T00:00:00",
    "dateReserved": "2019-08-10T00:00:00",
    "dateUpdated": "2024-08-05T00:26:39.249Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-3424 (GCVE-0-2021-3424)
Vulnerability from cvelistv5
Published
2021-06-01 18:43
Modified
2024-08-03 16:53
Severity ?
CWE
Summary
A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1933320x_refsource_MISC
Impacted products
Vendor Product Version
n/a keycloak Version: as shipped in Red Hat Single Sign-On 7.4
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T16:53:17.503Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1933320"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "as shipped in Red Hat Single Sign-On 7.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-01T18:43:33",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1933320"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2021-3424",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "as shipped in Red Hat Single Sign-On 7.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1933320",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1933320"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-3424",
    "datePublished": "2021-06-01T18:43:33",
    "dateReserved": "2021-03-08T00:00:00",
    "dateUpdated": "2024-08-03T16:53:17.503Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-6134 (GCVE-0-2023-6134)
Vulnerability from cvelistv5
Published
2023-12-14 21:42
Modified
2024-11-23 03:37
Severity ?
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.
References
https://access.redhat.com/errata/RHSA-2023:7854vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7855vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7856vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7857vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7858vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7860vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7861vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0798vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0799vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0800vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0801vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0804vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-6134vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2249673issue-tracking, x_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat Red Hat build of Keycloak 22 Unaffected: 22.0.7-1   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22 Unaffected: 22-6   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22 Unaffected: 22-9   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22.0.7     cpe:/a:redhat:build_keycloak:22
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7.6
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.11-2.redhat_00003.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.12-1.redhat_00001.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.11-2.redhat_00003.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.12-1.redhat_00001.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.11-2.redhat_00003.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.12-1.redhat_00001.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-38   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6.6-2   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-41   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
   Red Hat Single Sign-On 7.6.6     cpe:/a:redhat:red_hat_single_sign_on:7.6.6
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:21:17.735Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2023:7854",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7854"
          },
          {
            "name": "RHSA-2023:7855",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7855"
          },
          {
            "name": "RHSA-2023:7856",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7856"
          },
          {
            "name": "RHSA-2023:7857",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7857"
          },
          {
            "name": "RHSA-2023:7858",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7858"
          },
          {
            "name": "RHSA-2023:7860",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7860"
          },
          {
            "name": "RHSA-2023:7861",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7861"
          },
          {
            "name": "RHSA-2024:0798",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0798"
          },
          {
            "name": "RHSA-2024:0799",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0799"
          },
          {
            "name": "RHSA-2024:0800",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0800"
          },
          {
            "name": "RHSA-2024:0801",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0801"
          },
          {
            "name": "RHSA-2024:0804",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0804"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-6134"
          },
          {
            "name": "RHBZ#2249673",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2249673"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22.0.7-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22-6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22-9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak-core",
          "product": "Red Hat build of Keycloak 22.0.7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak-core",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.11-2.redhat_00003.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.12-1.redhat_00001.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.11-2.redhat_00003.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.12-1.redhat_00001.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.11-2.redhat_00003.1.el9sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.12-1.redhat_00001.1.el9sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-38",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso7-rhel8-operator-bundle",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6.6-2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-41",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6.6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak-core",
          "product": "Single Sign-On 7.6.6",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Lauritz Holtmann (https://security.lauritz-holtmann.de/) for reporting this issue."
        }
      ],
      "datePublic": "2023-11-14T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-23T03:37:59.109Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:7854",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7854"
        },
        {
          "name": "RHSA-2023:7855",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7855"
        },
        {
          "name": "RHSA-2023:7856",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7856"
        },
        {
          "name": "RHSA-2023:7857",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7857"
        },
        {
          "name": "RHSA-2023:7858",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7858"
        },
        {
          "name": "RHSA-2023:7860",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7860"
        },
        {
          "name": "RHSA-2023:7861",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7861"
        },
        {
          "name": "RHSA-2024:0798",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0798"
        },
        {
          "name": "RHSA-2024:0799",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0799"
        },
        {
          "name": "RHSA-2024:0800",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0800"
        },
        {
          "name": "RHSA-2024:0801",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0801"
        },
        {
          "name": "RHSA-2024:0804",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0804"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-6134"
        },
        {
          "name": "RHBZ#2249673",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2249673"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-11-07T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-11-14T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: reflected xss via wildcard in oidc redirect_uri",
      "x_redhatCweChain": "CWE-74-\u003eCWE-79: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027) leads to Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-6134",
    "datePublished": "2023-12-14T21:42:12.160Z",
    "dateReserved": "2023-11-14T18:50:13.535Z",
    "dateUpdated": "2024-11-23T03:37:59.109Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-14888 (GCVE-0-2019-14888)
Vulnerability from cvelistv5
Published
2020-01-23 16:25
Modified
2024-08-05 00:26
Severity ?
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
Summary
A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14888x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2020:0729vendor-advisory, x_refsource_REDHAT
https://security.netapp.com/advisory/ntap-20220211-0001/x_refsource_CONFIRM
Impacted products
Vendor Product Version
Red Hat undertow Version: All versions before 2.0.28.SP1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:26:39.131Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14888"
          },
          {
            "name": "RHSA-2020:0729",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0729"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220211-0001/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "undertow",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "All versions before 2.0.28.SP1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-11T22:06:18",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14888"
        },
        {
          "name": "RHSA-2020:0729",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0729"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220211-0001/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-14888",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "undertow",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions before 2.0.28.SP1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Red Hat"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-400"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14888",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14888"
            },
            {
              "name": "RHSA-2020:0729",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0729"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220211-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220211-0001/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-14888",
    "datePublished": "2020-01-23T16:25:11",
    "dateReserved": "2019-08-10T00:00:00",
    "dateUpdated": "2024-08-05T00:26:39.131Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-3875 (GCVE-0-2019-3875)
Vulnerability from cvelistv5
Published
2019-06-12 13:51
Modified
2024-08-04 19:19
Severity ?
6.5 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE
Summary
A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3875x_refsource_CONFIRM
http://www.securityfocus.com/bid/108748vdb-entry, x_refsource_BID
Impacted products
Vendor Product Version
Red Hat keycloak Version: 6.0.2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:19:18.609Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3875"
          },
          {
            "name": "108748",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/108748"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "6.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols (\u0027http\u0027 or \u0027ldap\u0027) and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn\u0027t validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-06-13T13:06:06",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3875"
        },
        {
          "name": "108748",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/108748"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-3875",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "6.0.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Red Hat"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols (\u0027http\u0027 or \u0027ldap\u0027) and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn\u0027t validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-345"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-295"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3875",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3875"
            },
            {
              "name": "108748",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/108748"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-3875",
    "datePublished": "2019-06-12T13:51:38",
    "dateReserved": "2019-01-03T00:00:00",
    "dateUpdated": "2024-08-04T19:19:18.609Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-14838 (GCVE-0-2019-14838)
Vulnerability from cvelistv5
Published
2019-10-14 14:32
Modified
2024-08-05 00:26
Severity ?
5.2 (Medium) - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H
CWE
Summary
A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14838x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2019:3083vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3082vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4018vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4019vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4021vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4020vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4045vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4042vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4040vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4041vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2020:0728vendor-advisory, x_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat wildfly-core Version: before 7.2.5.GA
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:26:39.125Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14838"
          },
          {
            "name": "RHSA-2019:3083",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3083"
          },
          {
            "name": "RHSA-2019:3082",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3082"
          },
          {
            "name": "RHSA-2019:4018",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4018"
          },
          {
            "name": "RHSA-2019:4019",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4019"
          },
          {
            "name": "RHSA-2019:4021",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4021"
          },
          {
            "name": "RHSA-2019:4020",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4020"
          },
          {
            "name": "RHSA-2019:4045",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4045"
          },
          {
            "name": "RHSA-2019:4042",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4042"
          },
          {
            "name": "RHSA-2019:4040",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4040"
          },
          {
            "name": "RHSA-2019:4041",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4041"
          },
          {
            "name": "RHSA-2020:0728",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0728"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wildfly-core",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "before 7.2.5.GA"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server"
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-03-11T11:07:04",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14838"
        },
        {
          "name": "RHSA-2019:3083",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3083"
        },
        {
          "name": "RHSA-2019:3082",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3082"
        },
        {
          "name": "RHSA-2019:4018",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4018"
        },
        {
          "name": "RHSA-2019:4019",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4019"
        },
        {
          "name": "RHSA-2019:4021",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4021"
        },
        {
          "name": "RHSA-2019:4020",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4020"
        },
        {
          "name": "RHSA-2019:4045",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4045"
        },
        {
          "name": "RHSA-2019:4042",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4042"
        },
        {
          "name": "RHSA-2019:4040",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4040"
        },
        {
          "name": "RHSA-2019:4041",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4041"
        },
        {
          "name": "RHSA-2020:0728",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0728"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-14838",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "wildfly-core",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "before 7.2.5.GA"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Red Hat"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server"
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "5.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-284"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14838",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14838"
            },
            {
              "name": "RHSA-2019:3083",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3083"
            },
            {
              "name": "RHSA-2019:3082",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3082"
            },
            {
              "name": "RHSA-2019:4018",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4018"
            },
            {
              "name": "RHSA-2019:4019",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4019"
            },
            {
              "name": "RHSA-2019:4021",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4021"
            },
            {
              "name": "RHSA-2019:4020",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4020"
            },
            {
              "name": "RHSA-2019:4045",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4045"
            },
            {
              "name": "RHSA-2019:4042",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4042"
            },
            {
              "name": "RHSA-2019:4040",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4040"
            },
            {
              "name": "RHSA-2019:4041",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4041"
            },
            {
              "name": "RHSA-2020:0728",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0728"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-14838",
    "datePublished": "2019-10-14T14:32:53",
    "dateReserved": "2019-08-10T00:00:00",
    "dateUpdated": "2024-08-05T00:26:39.125Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-7885 (GCVE-0-2024-7885)
Vulnerability from cvelistv5
Published
2024-08-21 14:13
Modified
2025-07-10 09:27
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Summary
A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.
References
https://access.redhat.com/errata/RHSA-2024:11023vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6508vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6883vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:7441vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:7442vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:7735vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:7736vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-7885vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2305290issue-tracking, x_refsource_REDHAT
Impacted products
Vendor Product Version
Version: 0   < 2.2.36.Final
Version: 2.3.0.Alpha1   < 2.3.17.Final
 Create a notification for this product.
   Red Hat HawtIO 4.0.0 for Red Hat build of Apache Camel 4     cpe:/a:redhat:rhboac_hawtio:4.0.0
 Create a notification for this product.
   Red Hat Red Hat build of Apache Camel 3.20.7 for Spring Boot     cpe:/a:redhat:apache_camel_spring_boot:3.20.7
 Create a notification for this product.
   Red Hat Red Hat build of Apache Camel 4.4.2 for Spring Boot     cpe:/a:redhat:apache_camel_spring_boot:4.4.2
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7     cpe:/a:redhat:jboss_enterprise_application_platform:7.4
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Unaffected: 0:2.2.33-2.SP2_redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Unaffected: 0:7.4.18-1.GA_redhat_00003.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Unaffected: 0:2.2.33-2.SP2_redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Unaffected: 0:7.4.18-1.GA_redhat_00003.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Unaffected: 0:2.2.33-2.SP2_redhat_00001.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Unaffected: 0:7.4.18-1.GA_redhat_00003.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8.0
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:1.11.9-2.redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:800.3.1-2.GA_redhat_00002.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:2.3.14-2.SP2_redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Unaffected: 0:8.0.3-13.GA_redhat_00007.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:1.11.9-2.redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:800.3.1-2.GA_redhat_00002.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:2.3.14-2.SP2_redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Unaffected: 0:8.0.3-13.GA_redhat_00007.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
 Create a notification for this product.
   Red Hat Red Hat build of Apache Camel for Spring Boot 3     cpe:/a:redhat:camel_spring_boot:3
 Create a notification for this product.
   Red Hat Red Hat build of Apache Camel - HawtIO 4     cpe:/a:redhat:apache_camel_hawtio:4
 Create a notification for this product.
   Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
 Create a notification for this product.
   Red Hat Red Hat build of Quarkus     cpe:/a:redhat:quarkus:3
 Create a notification for this product.
   Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
 Create a notification for this product.
   Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
 Create a notification for this product.
   Red Hat Red Hat Integration Camel K 1     cpe:/a:redhat:integration:1
 Create a notification for this product.
   Red Hat Red Hat JBoss Data Grid 7     cpe:/a:redhat:jboss_data_grid:7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
 Create a notification for this product.
   Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-7885",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-21T15:21:22.416004Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-21T15:21:42.735Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-10-11T22:03:18.905Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20241011-0004/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/undertow-io/undertow",
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "versions": [
            {
              "lessThan": "2.2.36.Final",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "2.3.17.Final",
              "status": "affected",
              "version": "2.3.0.Alpha1",
              "versionType": "custom"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhboac_hawtio:4.0.0"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "HawtIO 4.0.0 for Red Hat build of Apache Camel 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:apache_camel_spring_boot:3.20.7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat build of Apache Camel 3.20.7 for Spring Boot",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:apache_camel_spring_boot:4.4.2"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat build of Apache Camel 4.4.2 for Spring Boot",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat JBoss Enterprise Application Platform 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.33-2.SP2_redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-wildfly",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:7.4.18-1.GA_redhat_00003.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.33-2.SP2_redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-wildfly",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:7.4.18-1.GA_redhat_00003.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.33-2.SP2_redhat_00001.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-wildfly",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:7.4.18-1.GA_redhat_00003.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow-core",
          "product": "Red Hat JBoss Enterprise Application Platform 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-amazon-ion-java",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.11.9-2.redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-eap-product-conf-parent",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:800.3.1-2.GA_redhat_00002.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.3.14-2.SP2_redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-wildfly",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:8.0.3-13.GA_redhat_00007.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-amazon-ion-java",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.11.9-2.redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-eap-product-conf-parent",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:800.3.1-2.GA_redhat_00002.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.3.14-2.SP2_redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap8-wildfly",
          "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:8.0.3-13.GA_redhat_00007.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:camel_spring_boot:3"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat build of Apache Camel for Spring Boot 3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:apache_camel_hawtio:4"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat build of Apache Camel - HawtIO 4",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat Build of Keycloak",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:3"
          ],
          "defaultStatus": "unaffected",
          "packageName": "io.quarkus/quarkus-undertow",
          "product": "Red Hat build of Quarkus",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:8"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat Data Grid 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse:7"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat Fuse 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:integration:1"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat Integration Camel K 1",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "undertow",
          "product": "Red Hat JBoss Data Grid 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jbosseapxp"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow-core",
          "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "undertow",
          "product": "Red Hat Process Automation 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank BfC for reporting this issue."
        }
      ],
      "datePublic": "2024-08-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-362",
              "description": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-10T09:27:00.869Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2024:11023",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:11023"
        },
        {
          "name": "RHSA-2024:6508",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6508"
        },
        {
          "name": "RHSA-2024:6883",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6883"
        },
        {
          "name": "RHSA-2024:7441",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:7441"
        },
        {
          "name": "RHSA-2024:7442",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:7442"
        },
        {
          "name": "RHSA-2024:7735",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:7735"
        },
        {
          "name": "RHSA-2024:7736",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:7736"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-7885"
        },
        {
          "name": "RHBZ#2305290",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-08-16T09:00:41.686000+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-08-07T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Undertow: improper state management in proxy protocol parsing causes information leakage",
      "x_redhatCweChain": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-7885",
    "datePublished": "2024-08-21T14:13:36.579Z",
    "dateReserved": "2024-08-16T15:35:47.357Z",
    "dateUpdated": "2025-07-10T09:27:00.869Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-14341 (GCVE-0-2020-14341)
Vulnerability from cvelistv5
Published
2021-01-12 14:23
Modified
2024-08-04 12:39
Severity ?
CWE
Summary
The "Test Connection" available in v7.x of the Red Hat Single Sign On application console can permit an authorized user to cause SMTP connections to be attempted to arbitrary hosts and ports of the user's choosing, and originating from the RHSSO installation. By observing differences in the timings of these scans, an attacker may glean information about hosts and ports which they do not have access to scan directly.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1860138x_refsource_CONFIRM
Impacted products
Vendor Product Version
Red Hat Red Hat Single Sign-On Version: v7.x
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T12:39:36.428Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860138"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Red Hat Single Sign-On",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "v7.x"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The \"Test Connection\" available in v7.x of the Red Hat Single Sign On application console can permit an authorized user to cause SMTP connections to be attempted to arbitrary hosts and ports of the user\u0027s choosing, and originating from the RHSSO installation. By observing differences in the timings of these scans, an attacker may glean information about hosts and ports which they do not have access to scan directly."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-385",
              "description": "CWE-385",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-12T14:23:31",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860138"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-14341",
    "datePublished": "2021-01-12T14:23:31",
    "dateReserved": "2020-06-17T00:00:00",
    "dateUpdated": "2024-08-04T12:39:36.428Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-10687 (GCVE-0-2020-10687)
Vulnerability from cvelistv5
Published
2020-09-23 12:30
Modified
2024-08-04 11:06
Severity ?
CWE
Summary
A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1785049x_refsource_MISC
https://lists.apache.org/thread.html/r6603513ea8afbf6857fd77ca5888ec8385d0af493baa4250e28c351c%40%3Cdev.cxf.apache.org%3Emailing-list, x_refsource_MLIST
https://security.netapp.com/advisory/ntap-20220210-0015/x_refsource_CONFIRM
Impacted products
Vendor Product Version
n/a Undertow Version: Undertow 2.2.0.Final
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:06:11.126Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785049"
          },
          {
            "name": "[cxf-dev] 20210129 Undertow CVE",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r6603513ea8afbf6857fd77ca5888ec8385d0af493baa4250e28c351c%40%3Cdev.cxf.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220210-0015/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Undertow",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Undertow 2.2.0.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-10T09:06:52",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785049"
        },
        {
          "name": "[cxf-dev] 20210129 Undertow CVE",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r6603513ea8afbf6857fd77ca5888ec8385d0af493baa4250e28c351c%40%3Cdev.cxf.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220210-0015/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-10687",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Undertow",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Undertow 2.2.0.Final"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-444"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1785049",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785049"
            },
            {
              "name": "[cxf-dev] 20210129 Undertow CVE",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r6603513ea8afbf6857fd77ca5888ec8385d0af493baa4250e28c351c@%3Cdev.cxf.apache.org%3E"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220210-0015/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220210-0015/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-10687",
    "datePublished": "2020-09-23T12:30:43",
    "dateReserved": "2020-03-20T00:00:00",
    "dateUpdated": "2024-08-04T11:06:11.126Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-3597 (GCVE-0-2021-3597)
Vulnerability from cvelistv5
Published
2022-05-24 18:19
Modified
2024-08-03 17:01
Severity ?
CWE
Summary
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1970930x_refsource_MISC
https://security.netapp.com/advisory/ntap-20220804-0003/x_refsource_CONFIRM
Impacted products
Vendor Product Version
n/a undertow Version: undertow 2.0.35.SP1, undertow 2.2.6.SP1, undertow 2.2.7.SP1, undertow 2.0.36.SP1, undertow 2.2.9.Final, undertow 2.0.39.Final
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:01:07.706Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1970930"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220804-0003/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "undertow",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "undertow 2.0.35.SP1, undertow 2.2.6.SP1, undertow 2.2.7.SP1, undertow 2.0.36.SP1, undertow 2.2.9.Final, undertow 2.0.39.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-362",
              "description": "CWE-362",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-04T17:06:48",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1970930"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220804-0003/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2021-3597",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "undertow",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "undertow 2.0.35.SP1, undertow 2.2.6.SP1, undertow 2.2.7.SP1, undertow 2.0.36.SP1, undertow 2.2.9.Final, undertow 2.0.39.Final"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-362"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1970930",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1970930"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220804-0003/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220804-0003/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-3597",
    "datePublished": "2022-05-24T18:19:11",
    "dateReserved": "2021-06-11T00:00:00",
    "dateUpdated": "2024-08-03T17:01:07.706Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-14299 (GCVE-0-2020-14299)
Vulnerability from cvelistv5
Published
2020-10-16 13:10
Modified
2024-08-04 12:39
Severity ?
CWE
Summary
A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1848533x_refsource_MISC
Impacted products
Vendor Product Version
n/a picketbox Version: redhat-picketbox 5.0.3.Final-redhat-00007
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T12:39:36.239Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848533"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "picketbox",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "redhat-picketbox 5.0.3.Final-redhat-00007"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-10-16T13:10:43",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848533"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-14299",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "picketbox",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "redhat-picketbox 5.0.3.Final-redhat-00007"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1848533",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848533"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-14299",
    "datePublished": "2020-10-16T13:10:43",
    "dateReserved": "2020-06-17T00:00:00",
    "dateUpdated": "2024-08-04T12:39:36.239Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-14307 (GCVE-0-2020-14307)
Vulnerability from cvelistv5
Published
2020-07-24 00:00
Modified
2024-08-04 12:39
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE
Summary
A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as the server. This flaw allows an attacker to craft a denial of service attack to make the service unavailable.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14307
Impacted products
Vendor Product Version
Red Hat wildfly Version: jboss-ejb-client versions shipped with Red Hat JBoss EAP 7
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T12:39:36.215Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14307"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wildfly",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "jboss-ejb-client versions shipped with Red Hat JBoss EAP 7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Wildfly\u0027s Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as the server. This flaw allows an attacker to craft a denial of service attack to make the service unavailable."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-404",
              "description": "CWE-404",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-07T00:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14307"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-14307",
    "datePublished": "2020-07-24T00:00:00",
    "dateReserved": "2020-06-17T00:00:00",
    "dateUpdated": "2024-08-04T12:39:36.215Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-14900 (GCVE-0-2019-14900)
Vulnerability from cvelistv5
Published
2020-07-06 18:35
Modified
2024-08-05 00:26
Severity ?
CWE
  • Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1666499x_refsource_MISC
https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3Emailing-list, x_refsource_MLIST
https://security.netapp.com/advisory/ntap-20220210-0020/x_refsource_CONFIRM
Impacted products
Vendor Product Version
n/a Hibernate Version: Versions before Hibernate ORM 5.3.18
Version: Versions before Hibernate ORM 5.4.18
Version: Versions before Hibernate ORM 5.5.0.Beta1
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:26:39.118Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666499"
          },
          {
            "name": "[turbine-dev] 20211015 Fulcrum Security Hibernate Module",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220210-0020/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Hibernate",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Versions before Hibernate ORM 5.3.18"
            },
            {
              "status": "affected",
              "version": "Versions before Hibernate ORM 5.4.18"
            },
            {
              "status": "affected",
              "version": "Versions before Hibernate ORM 5.5.0.Beta1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-10T09:07:46",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666499"
        },
        {
          "name": "[turbine-dev] 20211015 Fulcrum Security Hibernate Module",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220210-0020/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-14900",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Hibernate",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Versions before Hibernate ORM 5.3.18"
                          },
                          {
                            "version_value": "Versions before Hibernate ORM 5.4.18"
                          },
                          {
                            "version_value": "Versions before Hibernate ORM 5.5.0.Beta1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1666499",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666499"
            },
            {
              "name": "[turbine-dev] 20211015 Fulcrum Security Hibernate Module",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220210-0020/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220210-0020/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-14900",
    "datePublished": "2020-07-06T18:35:01",
    "dateReserved": "2019-08-10T00:00:00",
    "dateUpdated": "2024-08-05T00:26:39.118Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-14887 (GCVE-0-2019-14887)
Vulnerability from cvelistv5
Published
2020-03-16 14:48
Modified
2024-08-05 00:26
Severity ?
7.4 (High) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE
Summary
A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14887x_refsource_CONFIRM
https://issues.redhat.com/browse/JBEAP-17965x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20200327-0007/x_refsource_CONFIRM
Impacted products
Vendor Product Version
Red Hat wildfly Version: 7.2.0.GA, 7.2.3.GA, 7.2.5.CR2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:26:39.145Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14887"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://issues.redhat.com/browse/JBEAP-17965"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200327-0007/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wildfly",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "7.2.0.GA, 7.2.3.GA, 7.2.5.CR2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found when an OpenSSL security provider is used with Wildfly, the \u0027enabled-protocols\u0027 value in the Wildfly configuration isn\u0027t honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-757",
              "description": "CWE-757",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-03-27T08:06:03",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14887"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://issues.redhat.com/browse/JBEAP-17965"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20200327-0007/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-14887",
    "datePublished": "2020-03-16T14:48:09",
    "dateReserved": "2019-08-10T00:00:00",
    "dateUpdated": "2024-08-05T00:26:39.145Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-12023 (GCVE-0-2018-12023)
Vulnerability from cvelistv5
Published
2019-03-17 17:57
Modified
2024-08-05 08:24
Severity ?
CWE
  • n/a
Summary
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
References
https://access.redhat.com/errata/RHSA-2019:0782vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:0877vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHBA-2019:0959vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:1107vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:1108vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:1106vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:1140vendor-advisory, x_refsource_REDHAT
https://www.debian.org/security/2019/dsa-4452vendor-advisory, x_refsource_DEBIAN
https://seclists.org/bugtraq/2019/May/68mailing-list, x_refsource_BUGTRAQ
https://access.redhat.com/errata/RHSA-2019:1782vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:1797vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:1822vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:1823vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2804vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2858vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d%40%3Cissues.lucene.apache.org%3Emailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2019:3002vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3140vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3Emailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2019:3149vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3Emailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2019:3892vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4037vendor-advisory, x_refsource_REDHAT
https://www.oracle.com/security-alerts/cpuapr2020.htmlx_refsource_MISC
https://www.oracle.com/security-alerts/cpujul2020.htmlx_refsource_MISC
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlx_refsource_CONFIRM
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlx_refsource_MISC
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlx_refsource_MISC
https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlx_refsource_CONFIRM
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/x_refsource_MISC
https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdfx_refsource_MISC
http://www.securityfocus.com/bid/105659x_refsource_MISC
https://github.com/FasterXML/jackson-databind/issues/2058x_refsource_MISC
https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226ax_refsource_MISC
https://security.netapp.com/advisory/ntap-20190530-0003/x_refsource_CONFIRM
https://www.oracle.com/security-alerts/cpuoct2020.htmlx_refsource_MISC
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T08:24:03.746Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2019:0782",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0782"
          },
          {
            "name": "RHSA-2019:0877",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0877"
          },
          {
            "name": "RHBA-2019:0959",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHBA-2019:0959"
          },
          {
            "name": "RHSA-2019:1107",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1107"
          },
          {
            "name": "RHSA-2019:1108",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1108"
          },
          {
            "name": "RHSA-2019:1106",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1106"
          },
          {
            "name": "RHSA-2019:1140",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1140"
          },
          {
            "name": "DSA-4452",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4452"
          },
          {
            "name": "20190527 [SECURITY] [DSA 4452-1] jackson-databind security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/May/68"
          },
          {
            "name": "RHSA-2019:1782",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1782"
          },
          {
            "name": "RHSA-2019:1797",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1797"
          },
          {
            "name": "RHSA-2019:1822",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1822"
          },
          {
            "name": "RHSA-2019:1823",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1823"
          },
          {
            "name": "RHSA-2019:2804",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2804"
          },
          {
            "name": "RHSA-2019:2858",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2858"
          },
          {
            "name": "[lucene-issues] 20191004 [GitHub] [lucene-solr] marungo opened a new pull request #925: SOLR-13818: Upgrade jackson to 2.10.0",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d%40%3Cissues.lucene.apache.org%3E"
          },
          {
            "name": "RHSA-2019:3002",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3002"
          },
          {
            "name": "RHSA-2019:3140",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3140"
          },
          {
            "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
          },
          {
            "name": "RHSA-2019:3149",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3149"
          },
          {
            "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
          },
          {
            "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
          },
          {
            "name": "RHSA-2019:3892",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3892"
          },
          {
            "name": "RHSA-2019:4037",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4037"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/105659"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/FasterXML/jackson-databind/issues/2058"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190530-0003/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-06-08T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-10-20T21:14:53",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "RHSA-2019:0782",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0782"
        },
        {
          "name": "RHSA-2019:0877",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0877"
        },
        {
          "name": "RHBA-2019:0959",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHBA-2019:0959"
        },
        {
          "name": "RHSA-2019:1107",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1107"
        },
        {
          "name": "RHSA-2019:1108",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1108"
        },
        {
          "name": "RHSA-2019:1106",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1106"
        },
        {
          "name": "RHSA-2019:1140",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1140"
        },
        {
          "name": "DSA-4452",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4452"
        },
        {
          "name": "20190527 [SECURITY] [DSA 4452-1] jackson-databind security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/May/68"
        },
        {
          "name": "RHSA-2019:1782",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1782"
        },
        {
          "name": "RHSA-2019:1797",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1797"
        },
        {
          "name": "RHSA-2019:1822",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1822"
        },
        {
          "name": "RHSA-2019:1823",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1823"
        },
        {
          "name": "RHSA-2019:2804",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2804"
        },
        {
          "name": "RHSA-2019:2858",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2858"
        },
        {
          "name": "[lucene-issues] 20191004 [GitHub] [lucene-solr] marungo opened a new pull request #925: SOLR-13818: Upgrade jackson to 2.10.0",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d%40%3Cissues.lucene.apache.org%3E"
        },
        {
          "name": "RHSA-2019:3002",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3002"
        },
        {
          "name": "RHSA-2019:3140",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3140"
        },
        {
          "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
        },
        {
          "name": "RHSA-2019:3149",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3149"
        },
        {
          "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
        },
        {
          "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
        },
        {
          "name": "RHSA-2019:3892",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3892"
        },
        {
          "name": "RHSA-2019:4037",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4037"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.securityfocus.com/bid/105659"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/issues/2058"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190530-0003/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-12023",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2019:0782",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0782"
            },
            {
              "name": "RHSA-2019:0877",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0877"
            },
            {
              "name": "RHBA-2019:0959",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHBA-2019:0959"
            },
            {
              "name": "RHSA-2019:1107",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1107"
            },
            {
              "name": "RHSA-2019:1108",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1108"
            },
            {
              "name": "RHSA-2019:1106",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1106"
            },
            {
              "name": "RHSA-2019:1140",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1140"
            },
            {
              "name": "DSA-4452",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4452"
            },
            {
              "name": "20190527 [SECURITY] [DSA 4452-1] jackson-databind security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/May/68"
            },
            {
              "name": "RHSA-2019:1782",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1782"
            },
            {
              "name": "RHSA-2019:1797",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1797"
            },
            {
              "name": "RHSA-2019:1822",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1822"
            },
            {
              "name": "RHSA-2019:1823",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1823"
            },
            {
              "name": "RHSA-2019:2804",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2804"
            },
            {
              "name": "RHSA-2019:2858",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2858"
            },
            {
              "name": "[lucene-issues] 20191004 [GitHub] [lucene-solr] marungo opened a new pull request #925: SOLR-13818: Upgrade jackson to 2.10.0",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E"
            },
            {
              "name": "RHSA-2019:3002",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3002"
            },
            {
              "name": "RHSA-2019:3140",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3140"
            },
            {
              "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
            },
            {
              "name": "RHSA-2019:3149",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3149"
            },
            {
              "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
            },
            {
              "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
            },
            {
              "name": "RHSA-2019:3892",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3892"
            },
            {
              "name": "RHSA-2019:4037",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4037"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
              "refsource": "CONFIRM",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html",
              "refsource": "CONFIRM",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
            },
            {
              "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/",
              "refsource": "MISC",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/"
            },
            {
              "name": "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf",
              "refsource": "MISC",
              "url": "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf"
            },
            {
              "name": "http://www.securityfocus.com/bid/105659",
              "refsource": "MISC",
              "url": "http://www.securityfocus.com/bid/105659"
            },
            {
              "name": "https://github.com/FasterXML/jackson-databind/issues/2058",
              "refsource": "MISC",
              "url": "https://github.com/FasterXML/jackson-databind/issues/2058"
            },
            {
              "name": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a",
              "refsource": "MISC",
              "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190530-0003/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190530-0003/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-12023",
    "datePublished": "2019-03-17T17:57:52",
    "dateReserved": "2018-06-07T00:00:00",
    "dateUpdated": "2024-08-05T08:24:03.746Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-1697 (GCVE-0-2020-1697)
Vulnerability from cvelistv5
Published
2020-02-10 14:13
Modified
2024-08-04 06:46
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE
Summary
It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1697x_refsource_CONFIRM
Impacted products
Vendor Product Version
Red Hat keycloak Version: All versions before 9.0.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T06:46:30.433Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1697"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "All versions before 9.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-02-10T14:13:58",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1697"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-1697",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions before 9.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Red Hat"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "6.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1697",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1697"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-1697",
    "datePublished": "2020-02-10T14:13:58",
    "dateReserved": "2019-11-27T00:00:00",
    "dateUpdated": "2024-08-04T06:46:30.433Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-4137 (GCVE-0-2022-4137)
Vulnerability from cvelistv5
Published
2023-09-25 19:17
Modified
2024-08-03 01:27
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE
  • CWE-81 - Improper Neutralization of Script in an Error Message Web Page
Summary
A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.
References
https://access.redhat.com/errata/RHSA-2023:1043vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:1044vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:1045vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:1049vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2022-4137vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2148496issue-tracking, x_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7.6
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.6-1.redhat_00001.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.6-1.redhat_00001.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.6-1.redhat_00001.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:27:54.542Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2023:1043",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:1043"
          },
          {
            "name": "RHSA-2023:1044",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:1044"
          },
          {
            "name": "RHSA-2023:1045",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:1045"
          },
          {
            "name": "RHSA-2023:1049",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:1049"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2022-4137"
          },
          {
            "name": "RHBZ#2148496",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak-core",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.6-1.redhat_00001.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.6-1.redhat_00001.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.6-1.redhat_00001.1.el9sso",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "datePublic": "2023-03-01T13:56:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A reflected cross-site scripting (XSS) vulnerability was found in the \u0027oob\u0027 OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-81",
              "description": "Improper Neutralization of Script in an Error Message Web Page",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-03T15:32:27.111Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:1043",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:1043"
        },
        {
          "name": "RHSA-2023:1044",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:1044"
        },
        {
          "name": "RHSA-2023:1045",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:1045"
        },
        {
          "name": "RHSA-2023:1049",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:1049"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2022-4137"
        },
        {
          "name": "RHBZ#2148496",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2022-11-25T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-03-01T13:56:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: reflected xss attack",
      "x_redhatCweChain": "CWE-81: Improper Neutralization of Script in an Error Message Web Page"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-4137",
    "datePublished": "2023-09-25T19:17:55.522Z",
    "dateReserved": "2022-11-24T14:10:49.215Z",
    "dateUpdated": "2024-08-03T01:27:54.542Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-3637 (GCVE-0-2021-3637)
Vulnerability from cvelistv5
Published
2021-07-09 10:33
Modified
2024-08-03 17:01
Severity ?
CWE
Summary
A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1979638x_refsource_MISC
Impacted products
Vendor Product Version
n/a keycloak-model-infinispan Version: keycloak 14.0.0
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:01:08.303Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1979638"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak-model-infinispan",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "keycloak 14.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-09T10:33:23",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1979638"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2021-3637",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak-model-infinispan",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "keycloak 14.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-770"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1979638",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1979638"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-3637",
    "datePublished": "2021-07-09T10:33:23",
    "dateReserved": "2021-07-06T00:00:00",
    "dateUpdated": "2024-08-03T17:01:08.303Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-10212 (GCVE-0-2019-10212)
Vulnerability from cvelistv5
Published
2019-10-02 18:22
Modified
2024-08-04 22:17
Severity ?
4.8 (Medium) - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N
CWE
Summary
A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10212x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2019:2998vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2020:0727vendor-advisory, x_refsource_REDHAT
https://security.netapp.com/advisory/ntap-20220210-0017/x_refsource_CONFIRM
Impacted products
Vendor Product Version
RedHat undertow Version: all under 2.0.20
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:17:18.906Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10212"
          },
          {
            "name": "RHSA-2019:2998",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2998"
          },
          {
            "name": "RHSA-2020:0727",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0727"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220210-0017/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "undertow",
          "vendor": "RedHat",
          "versions": [
            {
              "status": "affected",
              "version": "all under 2.0.20"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user\u0027s credentials from the log files."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-10T09:06:38",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10212"
        },
        {
          "name": "RHSA-2019:2998",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2998"
        },
        {
          "name": "RHSA-2020:0727",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0727"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220210-0017/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-10212",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "undertow",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "all under 2.0.20"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "RedHat"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user\u0027s credentials from the log files."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "4.8/CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-532"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10212",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10212"
            },
            {
              "name": "RHSA-2019:2998",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2998"
            },
            {
              "name": "RHSA-2020:0727",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0727"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220210-0017/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220210-0017/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-10212",
    "datePublished": "2019-10-02T18:22:08",
    "dateReserved": "2019-03-27T00:00:00",
    "dateUpdated": "2024-08-04T22:17:18.906Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-10734 (GCVE-0-2020-10734)
Vulnerability from cvelistv5
Published
2021-02-11 15:29
Modified
2024-08-04 11:14
Severity ?
CWE
Summary
A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1831662x_refsource_MISC
https://issues.redhat.com/browse/KEYCLOAK-13653x_refsource_MISC
Impacted products
Vendor Product Version
n/a keycloak Version: As shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:14:14.684Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831662"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://issues.redhat.com/browse/KEYCLOAK-13653"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "As shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-11T15:29:45",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831662"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://issues.redhat.com/browse/KEYCLOAK-13653"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-10734",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "As shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-352"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1831662",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831662"
            },
            {
              "name": "https://issues.redhat.com/browse/KEYCLOAK-13653",
              "refsource": "MISC",
              "url": "https://issues.redhat.com/browse/KEYCLOAK-13653"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-10734",
    "datePublished": "2021-02-11T15:29:45",
    "dateReserved": "2020-03-20T00:00:00",
    "dateUpdated": "2024-08-04T11:14:14.684Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-0084 (GCVE-0-2022-0084)
Vulnerability from cvelistv5
Published
2022-08-26 17:25
Modified
2024-08-02 23:18
Severity ?
CWE
  • CWE-770 - - Allocation of Resources Without Limits or Throttling
Summary
A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.
References
https://bugzilla.redhat.com/show_bug.cgi?id=2064226x_refsource_MISC
https://access.redhat.com/security/cve/CVE-2022-0084x_refsource_MISC
https://github.com/xnio/xnio/pull/291x_refsource_MISC
https://github.com/xnio/xnio/commit/fdefb3b8b715d33387cadc4d48991fb1989b0c12x_refsource_MISC
Impacted products
Vendor Product Version
n/a xnio Version: Fixed in v3.x
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:18:41.681Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2022-0084"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/xnio/xnio/pull/291"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/xnio/xnio/commit/fdefb3b8b715d33387cadc4d48991fb1989b0c12"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xnio",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in v3.x"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 - Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-26T17:25:46",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064226"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2022-0084"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xnio/xnio/pull/291"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xnio/xnio/commit/fdefb3b8b715d33387cadc4d48991fb1989b0c12"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-0084",
    "datePublished": "2022-08-26T17:25:46",
    "dateReserved": "2022-01-03T00:00:00",
    "dateUpdated": "2024-08-02T23:18:41.681Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-10934 (GCVE-0-2018-10934)
Vulnerability from cvelistv5
Published
2019-03-27 12:20
Modified
2024-08-05 07:54
Severity ?
5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE
Summary
A cross-site scripting (XSS) vulnerability was found in the JBoss Management Console versions before 7.1.6.CR1, 7.1.6.GA. Users with roles that can create objects in the application can exploit this to attack other privileged users.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10934x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2019:1160vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:1162vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:1159vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:1161vendor-advisory, x_refsource_REDHAT
https://security.netapp.com/advisory/ntap-20190611-0002/x_refsource_CONFIRM
Impacted products
Vendor Product Version
Red Hat wildfly-core Version: 7.1.6.CR1
Version: 7.1.6.GA
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T07:54:36.087Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10934"
          },
          {
            "name": "RHSA-2019:1160",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1160"
          },
          {
            "name": "RHSA-2019:1162",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1162"
          },
          {
            "name": "RHSA-2019:1159",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1159"
          },
          {
            "name": "RHSA-2019:1161",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1161"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190611-0002/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wildfly-core",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "7.1.6.CR1"
            },
            {
              "status": "affected",
              "version": "7.1.6.GA"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A cross-site scripting (XSS) vulnerability was found in the JBoss Management Console versions before 7.1.6.CR1, 7.1.6.GA. Users with roles that can create objects in the application can exploit this to attack other privileged users."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-06-11T22:06:05",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10934"
        },
        {
          "name": "RHSA-2019:1160",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1160"
        },
        {
          "name": "RHSA-2019:1162",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1162"
        },
        {
          "name": "RHSA-2019:1159",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1159"
        },
        {
          "name": "RHSA-2019:1161",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1161"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190611-0002/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2018-10934",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "wildfly-core",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "7.1.6.CR1"
                          },
                          {
                            "version_value": "7.1.6.GA"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Red Hat"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A cross-site scripting (XSS) vulnerability was found in the JBoss Management Console versions before 7.1.6.CR1, 7.1.6.GA. Users with roles that can create objects in the application can exploit this to attack other privileged users."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "5.4/CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10934",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10934"
            },
            {
              "name": "RHSA-2019:1160",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1160"
            },
            {
              "name": "RHSA-2019:1162",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1162"
            },
            {
              "name": "RHSA-2019:1159",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1159"
            },
            {
              "name": "RHSA-2019:1161",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1161"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190611-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190611-0002/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2018-10934",
    "datePublished": "2019-03-27T12:20:07",
    "dateReserved": "2018-05-09T00:00:00",
    "dateUpdated": "2024-08-05T07:54:36.087Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-2422 (GCVE-0-2023-2422)
Vulnerability from cvelistv5
Published
2023-10-04 10:59
Modified
2024-08-02 06:19
Severity ?
5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
CWE
  • CWE-295 - Improper Certificate Validation
Summary
A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients.
References
https://access.redhat.com/errata/RHSA-2023:3883vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:3884vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:3885vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:3888vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:3892vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-2422vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2191668issue-tracking, x_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7.6.4
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.8-1.redhat_00001.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.8-1.redhat_00001.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.8-1.redhat_00001.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-24   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-2422",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-03T18:15:34.385890Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:16:52.606Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:19:15.138Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2023:3883",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:3883"
          },
          {
            "name": "RHSA-2023:3884",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:3884"
          },
          {
            "name": "RHSA-2023:3885",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:3885"
          },
          {
            "name": "RHSA-2023:3888",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:3888"
          },
          {
            "name": "RHSA-2023:3892",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:3892"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-2422"
          },
          {
            "name": "RHBZ#2191668",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2191668"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6.4"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak-oauth",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.8-1.redhat_00001.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.8-1.redhat_00001.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.8-1.redhat_00001.1.el9sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-24",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "datePublic": "2023-06-26T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-03T15:32:34.859Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:3883",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:3883"
        },
        {
          "name": "RHSA-2023:3884",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:3884"
        },
        {
          "name": "RHSA-2023:3885",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:3885"
        },
        {
          "name": "RHSA-2023:3888",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:3888"
        },
        {
          "name": "RHSA-2023:3892",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:3892"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-2422"
        },
        {
          "name": "RHBZ#2191668",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2191668"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-04-25T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-06-26T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: oauth client impersonation",
      "x_redhatCweChain": "CWE-295: Improper Certificate Validation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-2422",
    "datePublished": "2023-10-04T10:59:30.818Z",
    "dateReserved": "2023-04-28T17:33:42.062Z",
    "dateUpdated": "2024-08-02T06:19:15.138Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-14655 (GCVE-0-2018-14655)
Vulnerability from cvelistv5
Published
2018-11-13 19:00
Modified
2024-08-05 09:38
Severity ?
4.6 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CWE
Summary
A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14655x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2018:3592vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:3593vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:3595vendor-advisory, x_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat keycloak Version: 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:38:13.384Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14655"
          },
          {
            "name": "RHSA-2018:3592",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:3592"
          },
          {
            "name": "RHSA-2018:3593",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:3593"
          },
          {
            "name": "RHSA-2018:3595",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:3595"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final"
            }
          ]
        }
      ],
      "datePublic": "2018-11-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using \u0027response_mode=form_post\u0027 it is possible to inject arbitrary Javascript-Code via the \u0027state\u0027-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-11-14T10:57:02",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14655"
        },
        {
          "name": "RHSA-2018:3592",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:3592"
        },
        {
          "name": "RHSA-2018:3593",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:3593"
        },
        {
          "name": "RHSA-2018:3595",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:3595"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2018-14655",
    "datePublished": "2018-11-13T19:00:00",
    "dateReserved": "2018-07-27T00:00:00",
    "dateUpdated": "2024-08-05T09:38:13.384Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-10219 (GCVE-0-2019-10219)
Vulnerability from cvelistv5
Published
2019-11-08 14:46
Modified
2025-07-07 13:55
Severity ?
6.5 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE
Summary
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
References
https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf%40%3Cnotifications.accumulo.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba09114897d%40%3Cnotifications.accumulo.apache.org%3Emailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2020:0164vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2020:0159vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2020:0160vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2020:0161vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2020:0445vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3Emailing-list, x_refsource_MLIST
https://www.oracle.com/security-alerts/cpujan2022.htmlx_refsource_MISC
https://github.com/hibernate/hibernate-validator/commit/20d729548511ac5cff6fd459f93de137195420fepatch
https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceepatch
https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-10219exploit
https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Origin/CVE-2019-10219/exploitexploit
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20220210-0024/x_refsource_CONFIRM
Impacted products
Vendor Product Version
Hibernate hibernate-validator Version: 6.0.0.Alpha1    6.0.17.Final
Version: 6.1.0.Alpha1    6.1.0.Alpha6
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-07-02T11:46:38.457Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee"
          },
          {
            "url": "https://github.com/hibernate/hibernate-validator/commit/20d729548511ac5cff6fd459f93de137195420fe"
          },
          {
            "url": "https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-10219"
          },
          {
            "url": "https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Origin/CVE-2019-10219/exploit"
          },
          {
            "name": "[accumulo-notifications] 20200108 [GitHub] [accumulo] milleruntime opened a new pull request #1469: Update hibernate-validator. Fixes CVE-2019-10219",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf%40%3Cnotifications.accumulo.apache.org%3E"
          },
          {
            "name": "[accumulo-notifications] 20200109 [GitHub] [accumulo] milleruntime closed pull request #1469: Update hibernate-validator. Fixes CVE-2019-10219",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E"
          },
          {
            "name": "[accumulo-notifications] 20200109 [GitHub] [accumulo] milleruntime commented on issue #1469: Update hibernate-validator. Fixes CVE-2019-10219",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba09114897d%40%3Cnotifications.accumulo.apache.org%3E"
          },
          {
            "name": "RHSA-2020:0164",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0164"
          },
          {
            "name": "RHSA-2020:0159",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0159"
          },
          {
            "name": "RHSA-2020:0160",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0160"
          },
          {
            "name": "RHSA-2020:0161",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0161"
          },
          {
            "name": "RHSA-2020:0445",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0445"
          },
          {
            "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E"
          },
          {
            "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E"
          },
          {
            "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220210-0024/"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://hibernate.org/validator/",
          "defaultStatus": "unknown",
          "product": "hibernate-validator",
          "vendor": "Hibernate",
          "versions": [
            {
              "lessThanOrEqual": "6.0.17.Final",
              "status": "affected",
              "version": "6.0.0.Alpha1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.0.Alpha6",
              "status": "affected",
              "version": "6.1.0.Alpha1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.18.Final",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1.0.Final",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-07T13:55:51.360Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "[accumulo-notifications] 20200108 [GitHub] [accumulo] milleruntime opened a new pull request #1469: Update hibernate-validator. Fixes CVE-2019-10219",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf%40%3Cnotifications.accumulo.apache.org%3E"
        },
        {
          "name": "[accumulo-notifications] 20200109 [GitHub] [accumulo] milleruntime closed pull request #1469: Update hibernate-validator. Fixes CVE-2019-10219",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E"
        },
        {
          "name": "[accumulo-notifications] 20200109 [GitHub] [accumulo] milleruntime commented on issue #1469: Update hibernate-validator. Fixes CVE-2019-10219",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba09114897d%40%3Cnotifications.accumulo.apache.org%3E"
        },
        {
          "name": "RHSA-2020:0164",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0164"
        },
        {
          "name": "RHSA-2020:0159",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0159"
        },
        {
          "name": "RHSA-2020:0160",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0160"
        },
        {
          "name": "RHSA-2020:0161",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0161"
        },
        {
          "name": "RHSA-2020:0445",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0445"
        },
        {
          "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E"
        },
        {
          "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E"
        },
        {
          "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "name": "Upstream fix commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/hibernate/hibernate-validator/commit/20d729548511ac5cff6fd459f93de137195420fe"
        },
        {
          "name": "Upstream fix commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56cee"
        },
        {
          "name": "Proof of Concept",
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-10219"
        },
        {
          "name": "Proof of Concept",
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Origin/CVE-2019-10219/exploit"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220210-0024/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-10219",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "hibernate-validator",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Hibernate"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[accumulo-notifications] 20200108 [GitHub] [accumulo] milleruntime opened a new pull request #1469: Update hibernate-validator. Fixes CVE-2019-10219",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E"
            },
            {
              "name": "[accumulo-notifications] 20200109 [GitHub] [accumulo] milleruntime closed pull request #1469: Update hibernate-validator. Fixes CVE-2019-10219",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6@%3Cnotifications.accumulo.apache.org%3E"
            },
            {
              "name": "[accumulo-notifications] 20200109 [GitHub] [accumulo] milleruntime commented on issue #1469: Update hibernate-validator. Fixes CVE-2019-10219",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba09114897d@%3Cnotifications.accumulo.apache.org%3E"
            },
            {
              "name": "RHSA-2020:0164",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0164"
            },
            {
              "name": "RHSA-2020:0159",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0159"
            },
            {
              "name": "RHSA-2020:0160",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0160"
            },
            {
              "name": "RHSA-2020:0161",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0161"
            },
            {
              "name": "RHSA-2020:0445",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0445"
            },
            {
              "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a@%3Cpluto-dev.portals.apache.org%3E"
            },
            {
              "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c@%3Cpluto-dev.portals.apache.org%3E"
            },
            {
              "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4@%3Cpluto-scm.portals.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220210-0024/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220210-0024/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-10219",
    "datePublished": "2019-11-08T14:46:03.000Z",
    "dateReserved": "2019-03-27T00:00:00.000Z",
    "dateUpdated": "2025-07-07T13:55:51.360Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-3629 (GCVE-0-2021-3629)
Vulnerability from cvelistv5
Published
2022-05-24 18:19
Modified
2024-08-03 17:01
Severity ?
CWE
Summary
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1977362x_refsource_MISC
https://security.netapp.com/advisory/ntap-20220729-0008/x_refsource_CONFIRM
Impacted products
Vendor Product Version
n/a undertow Version: undertow 2.0.40.Final, undertow 2.2.11.Final
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:01:07.495Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1977362"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220729-0008/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "undertow",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "undertow 2.0.40.Final, undertow 2.2.11.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-29T19:06:16",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1977362"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220729-0008/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2021-3629",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "undertow",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "undertow 2.0.40.Final, undertow 2.2.11.Final"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-400"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1977362",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1977362"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220729-0008/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220729-0008/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-3629",
    "datePublished": "2022-05-24T18:19:00",
    "dateReserved": "2021-06-29T00:00:00",
    "dateUpdated": "2024-08-03T17:01:07.495Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-1108 (GCVE-0-2023-1108)
Vulnerability from cvelistv5
Published
2023-09-14 14:48
Modified
2024-08-02 05:32
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Summary
A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.
References
https://access.redhat.com/errata/RHSA-2023:1184vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:1185vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:1512vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:1513vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:1514vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:1516vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:2135vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:3883vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:3884vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:3885vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:3888vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:3892vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:3954vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:4612vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-1108vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2174246issue-tracking, x_refsource_REDHAT
https://github.com/advisories/GHSA-m4mm-pg93-fv78
https://security.netapp.com/advisory/ntap-20231020-0002/
Impacted products
Vendor Product Version
Create a notification for this product.
   Red Hat EAP 7.4.10 release     cpe:/a:redhat:jboss_enterprise_application_platform:7.4
 Create a notification for this product.
   Red Hat Red Hat Fuse 7.12     cpe:/a:redhat:jboss_fuse:7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1.0     cpe:/a:redhat:jboss_enterprise_application_platform:7.4
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Unaffected: 0:2.2.22-1.SP3_redhat_00002.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Unaffected: 0:7.4.9-6.GA_redhat_00004.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Unaffected: 0:2.2.23-1.SP2_redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Unaffected: 0:2.0.14-1.Final_redhat_00001.1.el8eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Unaffected: 0:2.2.22-1.SP3_redhat_00002.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Unaffected: 0:7.4.9-6.GA_redhat_00004.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Unaffected: 0:2.2.23-1.SP2_redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Unaffected: 0:2.0.14-1.Final_redhat_00001.1.el9eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Unaffected: 0:2.2.22-1.SP3_redhat_00002.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Unaffected: 0:7.4.9-6.GA_redhat_00004.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Unaffected: 0:2.2.23-1.SP2_redhat_00001.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Unaffected: 0:2.0.14-1.Final_redhat_00001.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7.6.4
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.8-1.redhat_00001.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.8-1.redhat_00001.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.8-1.redhat_00001.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
   Red Hat Red Hat support for Spring Boot 2.7.13     cpe:/a:redhat:openshift_application_runtimes:1.0
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-24   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
   Red Hat RHPAM 7.13.1 async     cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
 Create a notification for this product.
   Red Hat Red Hat build of Quarkus     cpe:/a:redhat:quarkus:2
 Create a notification for this product.
   Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
 Create a notification for this product.
   Red Hat Red Hat Integration Camel K     cpe:/a:redhat:integration:1
 Create a notification for this product.
   Red Hat Red Hat Integration Camel Quarkus     cpe:/a:redhat:camel_quarkus:2
 Create a notification for this product.
   Red Hat Red Hat Integration Service Registry     cpe:/a:redhat:service_registry:2
 Create a notification for this product.
   Red Hat Red Hat JBoss Data Grid 7     cpe:/a:redhat:jboss_data_grid:7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
 Create a notification for this product.
   Red Hat Red Hat JBoss Fuse 6     cpe:/a:redhat:jboss_fuse:6
 Create a notification for this product.
   Red Hat Red Hat OpenStack Platform 13 (Queens)     cpe:/a:redhat:openstack:13
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-1108",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-08T18:37:50.625681Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-08T18:38:02.186Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T05:32:46.370Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2023:1184",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:1184"
          },
          {
            "name": "RHSA-2023:1185",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:1185"
          },
          {
            "name": "RHSA-2023:1512",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:1512"
          },
          {
            "name": "RHSA-2023:1513",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:1513"
          },
          {
            "name": "RHSA-2023:1514",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:1514"
          },
          {
            "name": "RHSA-2023:1516",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:1516"
          },
          {
            "name": "RHSA-2023:2135",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:2135"
          },
          {
            "name": "RHSA-2023:3883",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:3883"
          },
          {
            "name": "RHSA-2023:3884",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:3884"
          },
          {
            "name": "RHSA-2023:3885",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:3885"
          },
          {
            "name": "RHSA-2023:3888",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:3888"
          },
          {
            "name": "RHSA-2023:3892",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:3892"
          },
          {
            "name": "RHSA-2023:3954",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:3954"
          },
          {
            "name": "RHSA-2023:4612",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:4612"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-1108"
          },
          {
            "name": "RHBZ#2174246",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2174246"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-m4mm-pg93-fv78"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20231020-0002/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/undertow-io/undertow",
          "packageName": "io.undertow:undertow-core",
          "versions": [
            {
              "status": "unaffected",
              "version": "2.3.5"
            },
            {
              "status": "unaffected",
              "version": "2.2.24"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4"
          ],
          "defaultStatus": "unaffected",
          "product": "EAP 7.4.10 release",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat Fuse 7.12",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1.0",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.22-1.SP3_redhat_00002.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-wildfly",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:7.4.9-6.GA_redhat_00004.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.23-1.SP2_redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow-jastow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.0.14-1.Final_redhat_00001.1.el8eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.22-1.SP3_redhat_00002.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-wildfly",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:7.4.9-6.GA_redhat_00004.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.23-1.SP2_redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow-jastow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.0.14-1.Final_redhat_00001.1.el9eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.22-1.SP3_redhat_00002.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9",
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-wildfly",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:7.4.9-6.GA_redhat_00004.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.2.23-1.SP2_redhat_00001.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow-jastow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.0.14-1.Final_redhat_00001.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6.4"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.8-1.redhat_00001.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.8-1.redhat_00001.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.8-1.redhat_00001.1.el9sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_application_runtimes:1.0"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat support for Spring Boot 2.7.13",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-24",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "RHPAM 7.13.1 async",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:2"
          ],
          "defaultStatus": "unaffected",
          "packageName": "io.quarkus/quarkus-undertow",
          "product": "Red Hat build of Quarkus",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat Data Grid 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:integration:1"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat Integration Camel K",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:camel_quarkus:2"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat Integration Camel Quarkus",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:service_registry:2"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat Integration Service Registry",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "undertow",
          "product": "Red Hat JBoss Data Grid 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jbosseapxp"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "undertow",
          "product": "Red Hat JBoss Fuse 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:13"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat OpenStack Platform 13 (Queens)",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2023-03-07T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-835",
              "description": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-03T15:32:32.904Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:1184",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:1184"
        },
        {
          "name": "RHSA-2023:1185",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:1185"
        },
        {
          "name": "RHSA-2023:1512",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:1512"
        },
        {
          "name": "RHSA-2023:1513",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:1513"
        },
        {
          "name": "RHSA-2023:1514",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:1514"
        },
        {
          "name": "RHSA-2023:1516",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:1516"
        },
        {
          "name": "RHSA-2023:2135",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:2135"
        },
        {
          "name": "RHSA-2023:3883",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:3883"
        },
        {
          "name": "RHSA-2023:3884",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:3884"
        },
        {
          "name": "RHSA-2023:3885",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:3885"
        },
        {
          "name": "RHSA-2023:3888",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:3888"
        },
        {
          "name": "RHSA-2023:3892",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:3892"
        },
        {
          "name": "RHSA-2023:3954",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:3954"
        },
        {
          "name": "RHSA-2023:4612",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:4612"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-1108"
        },
        {
          "name": "RHBZ#2174246",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2174246"
        },
        {
          "url": "https://github.com/advisories/GHSA-m4mm-pg93-fv78"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20231020-0002/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-02-07T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-03-07T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Undertow: infinite loop in sslconduit during close",
      "x_redhatCweChain": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-1108",
    "datePublished": "2023-09-14T14:48:58.869Z",
    "dateReserved": "2023-03-01T00:27:23.587Z",
    "dateUpdated": "2024-08-02T05:32:46.370Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-14843 (GCVE-0-2019-14843)
Vulnerability from cvelistv5
Published
2020-01-07 16:34
Modified
2024-08-05 00:26
Severity ?
7.5 (High) - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
Summary
A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks. Versions shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7 are vulnerable to this issue.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14843x_refsource_CONFIRM
Impacted products
Vendor Product Version
Red Hat wildfly-security-manager Version: As shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:26:39.115Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14843"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wildfly-security-manager",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "As shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks. Versions shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7 are vulnerable to this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-592",
              "description": "CWE-592",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-01-07T16:34:59",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14843"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-14843",
    "datePublished": "2020-01-07T16:34:59",
    "dateReserved": "2019-08-10T00:00:00",
    "dateUpdated": "2024-08-05T00:26:39.115Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-25689 (GCVE-0-2020-25689)
Vulnerability from cvelistv5
Published
2020-10-30 00:00
Modified
2024-08-04 15:40
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE
Summary
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689
https://security.netapp.com/advisory/ntap-20201123-0006/
Impacted products
Vendor Product Version
Red Hat wildfly-core Version: up to 21.0.0.Final
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:40:36.775Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20201123-0006/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wildfly-core",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "up to 21.0.0.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-07T00:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20201123-0006/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-25689",
    "datePublished": "2020-10-30T00:00:00",
    "dateReserved": "2020-09-16T00:00:00",
    "dateUpdated": "2024-08-04T15:40:36.775Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-14379 (GCVE-0-2019-14379)
Vulnerability from cvelistv5
Published
2019-07-29 11:42
Modified
2024-08-05 00:19
Severity ?
CWE
  • n/a
Summary
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
References
https://lists.debian.org/debian-lts-announce/2019/08/msg00011.htmlmailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f%40%3Ccommits.ambari.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a%40%3Ccommits.ambari.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb%40%3Ccommits.pulsar.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3Emailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2019:2743vendor-advisory, x_refsource_REDHAT
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/vendor-advisory, x_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/vendor-advisory, x_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/vendor-advisory, x_refsource_FEDORA
https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69%40%3Ccommits.tinkerpop.apache.org%3Emailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2019:2858vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2937vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2935vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2936vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2938vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2998vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f%40%3Cissues.iceberg.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d%40%3Cissues.iceberg.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815%40%3Cissues.iceberg.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf%40%3Cissues.iceberg.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17%40%3Cissues.iceberg.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54%40%3Cissues.iceberg.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d%40%3Cissues.iceberg.apache.org%3Emailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHBA-2019:2824vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3044vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3045vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3050vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3046vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3Emailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2019:3149vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3Emailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2019:3200vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3Emailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2019:3292vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3297vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3901vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2020:0727vendor-advisory, x_refsource_REDHAT
https://www.oracle.com/security-alerts/cpuapr2020.htmlx_refsource_MISC
https://www.oracle.com/security-alerts/cpujul2020.htmlx_refsource_MISC
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlx_refsource_MISC
https://www.oracle.com/security-alerts/cpujan2020.htmlx_refsource_MISC
https://github.com/FasterXML/jackson-databind/issues/2387x_refsource_MISC
https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2x_refsource_MISC
https://security.netapp.com/advisory/ntap-20190814-0001/x_refsource_CONFIRM
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3Emailing-list, x_refsource_MLIST
https://www.oracle.com/security-alerts/cpuoct2020.htmlx_refsource_MISC
https://www.oracle.com/security-alerts/cpuApr2021.htmlx_refsource_MISC
https://support.apple.com/kb/HT213189x_refsource_CONFIRM
http://seclists.org/fulldisclosure/2022/Mar/23mailing-list, x_refsource_FULLDISC
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:19:40.551Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[debian-lts-announce] 20190812 [SECURITY] [DLA 1879-1] jackson-databind security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html"
          },
          {
            "name": "[ambari-commits] 20190813 [ambari] branch branch-2.7 updated: AMBARI-25352 : Upgrade fasterxml jackson dependency due to CVE-2019-14379 (#3066)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f%40%3Ccommits.ambari.apache.org%3E"
          },
          {
            "name": "[ambari-commits] 20190813 [ambari] branch trunk updated: AMBARI-25352 : Upgrade fasterxml jackson dependency due to CVE-2019-14379(trunk) (#3067)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a%40%3Ccommits.ambari.apache.org%3E"
          },
          {
            "name": "[pulsar-commits] 20190822 [GitHub] [pulsar] massakam opened a new pull request #5011: [security] Upgrade jackson-databind",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb%40%3Ccommits.pulsar.apache.org%3E"
          },
          {
            "name": "[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "name": "[struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3E"
          },
          {
            "name": "[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "name": "RHSA-2019:2743",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2743"
          },
          {
            "name": "FEDORA-2019-99ff6aa32c",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/"
          },
          {
            "name": "FEDORA-2019-ae6a703b8f",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/"
          },
          {
            "name": "FEDORA-2019-fb23eccc03",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/"
          },
          {
            "name": "[tinkerpop-commits] 20190924 [GitHub] [tinkerpop] justinchuch opened a new pull request #1200: Upgrade jackson due to CVE issues",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69%40%3Ccommits.tinkerpop.apache.org%3E"
          },
          {
            "name": "RHSA-2019:2858",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2858"
          },
          {
            "name": "RHSA-2019:2937",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2937"
          },
          {
            "name": "RHSA-2019:2935",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2935"
          },
          {
            "name": "RHSA-2019:2936",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2936"
          },
          {
            "name": "RHSA-2019:2938",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2938"
          },
          {
            "name": "RHSA-2019:2998",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2998"
          },
          {
            "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue opened a new pull request #533: Update Jackson to 2.9.10 for CVE-2019-14379",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f%40%3Cissues.iceberg.apache.org%3E"
          },
          {
            "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] mccheah opened a new pull request #535: Update Jackson to 2.9.10 for CVE-2019-14379",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d%40%3Cissues.iceberg.apache.org%3E"
          },
          {
            "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815%40%3Cissues.iceberg.apache.org%3E"
          },
          {
            "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] mccheah commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf%40%3Cissues.iceberg.apache.org%3E"
          },
          {
            "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue closed pull request #533: Update Jackson to 2.9.10 for CVE-2019-14379",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17%40%3Cissues.iceberg.apache.org%3E"
          },
          {
            "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue merged pull request #535: Update Jackson to 2.9.10 for CVE-2019-14379",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54%40%3Cissues.iceberg.apache.org%3E"
          },
          {
            "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue commented on issue #533: Update Jackson to 2.9.10 for CVE-2019-14379",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d%40%3Cissues.iceberg.apache.org%3E"
          },
          {
            "name": "RHBA-2019:2824",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHBA-2019:2824"
          },
          {
            "name": "RHSA-2019:3044",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3044"
          },
          {
            "name": "RHSA-2019:3045",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3045"
          },
          {
            "name": "RHSA-2019:3050",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3050"
          },
          {
            "name": "RHSA-2019:3046",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3046"
          },
          {
            "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
          },
          {
            "name": "RHSA-2019:3149",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3149"
          },
          {
            "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
          },
          {
            "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
          },
          {
            "name": "RHSA-2019:3200",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3200"
          },
          {
            "name": "[iceberg-issues] 20191027 [GitHub] [incubator-iceberg] rdsr commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E"
          },
          {
            "name": "RHSA-2019:3292",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3292"
          },
          {
            "name": "RHSA-2019:3297",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3297"
          },
          {
            "name": "RHSA-2019:3901",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3901"
          },
          {
            "name": "RHSA-2020:0727",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0727"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/FasterXML/jackson-databind/issues/2387"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190814-0001/"
          },
          {
            "name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"
          },
          {
            "name": "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT213189"
          },
          {
            "name": "20220314 APPLE-SA-2022-03-14-7 Xcode 13.3",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/Mar/23"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-15T05:06:54",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "[debian-lts-announce] 20190812 [SECURITY] [DLA 1879-1] jackson-databind security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html"
        },
        {
          "name": "[ambari-commits] 20190813 [ambari] branch branch-2.7 updated: AMBARI-25352 : Upgrade fasterxml jackson dependency due to CVE-2019-14379 (#3066)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f%40%3Ccommits.ambari.apache.org%3E"
        },
        {
          "name": "[ambari-commits] 20190813 [ambari] branch trunk updated: AMBARI-25352 : Upgrade fasterxml jackson dependency due to CVE-2019-14379(trunk) (#3067)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a%40%3Ccommits.ambari.apache.org%3E"
        },
        {
          "name": "[pulsar-commits] 20190822 [GitHub] [pulsar] massakam opened a new pull request #5011: [security] Upgrade jackson-databind",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb%40%3Ccommits.pulsar.apache.org%3E"
        },
        {
          "name": "[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3E"
        },
        {
          "name": "[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3E"
        },
        {
          "name": "[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3E"
        },
        {
          "name": "[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3E"
        },
        {
          "name": "[tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3E"
        },
        {
          "name": "[tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3E"
        },
        {
          "name": "[struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3E"
        },
        {
          "name": "[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3E"
        },
        {
          "name": "[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3E"
        },
        {
          "name": "RHSA-2019:2743",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2743"
        },
        {
          "name": "FEDORA-2019-99ff6aa32c",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/"
        },
        {
          "name": "FEDORA-2019-ae6a703b8f",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/"
        },
        {
          "name": "FEDORA-2019-fb23eccc03",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/"
        },
        {
          "name": "[tinkerpop-commits] 20190924 [GitHub] [tinkerpop] justinchuch opened a new pull request #1200: Upgrade jackson due to CVE issues",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69%40%3Ccommits.tinkerpop.apache.org%3E"
        },
        {
          "name": "RHSA-2019:2858",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2858"
        },
        {
          "name": "RHSA-2019:2937",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2937"
        },
        {
          "name": "RHSA-2019:2935",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2935"
        },
        {
          "name": "RHSA-2019:2936",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2936"
        },
        {
          "name": "RHSA-2019:2938",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2938"
        },
        {
          "name": "RHSA-2019:2998",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2998"
        },
        {
          "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue opened a new pull request #533: Update Jackson to 2.9.10 for CVE-2019-14379",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f%40%3Cissues.iceberg.apache.org%3E"
        },
        {
          "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] mccheah opened a new pull request #535: Update Jackson to 2.9.10 for CVE-2019-14379",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d%40%3Cissues.iceberg.apache.org%3E"
        },
        {
          "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815%40%3Cissues.iceberg.apache.org%3E"
        },
        {
          "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] mccheah commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf%40%3Cissues.iceberg.apache.org%3E"
        },
        {
          "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue closed pull request #533: Update Jackson to 2.9.10 for CVE-2019-14379",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17%40%3Cissues.iceberg.apache.org%3E"
        },
        {
          "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue merged pull request #535: Update Jackson to 2.9.10 for CVE-2019-14379",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54%40%3Cissues.iceberg.apache.org%3E"
        },
        {
          "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue commented on issue #533: Update Jackson to 2.9.10 for CVE-2019-14379",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d%40%3Cissues.iceberg.apache.org%3E"
        },
        {
          "name": "RHBA-2019:2824",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHBA-2019:2824"
        },
        {
          "name": "RHSA-2019:3044",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3044"
        },
        {
          "name": "RHSA-2019:3045",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3045"
        },
        {
          "name": "RHSA-2019:3050",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3050"
        },
        {
          "name": "RHSA-2019:3046",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3046"
        },
        {
          "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
        },
        {
          "name": "RHSA-2019:3149",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3149"
        },
        {
          "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
        },
        {
          "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
        },
        {
          "name": "RHSA-2019:3200",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3200"
        },
        {
          "name": "[iceberg-issues] 20191027 [GitHub] [incubator-iceberg] rdsr commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E"
        },
        {
          "name": "RHSA-2019:3292",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3292"
        },
        {
          "name": "RHSA-2019:3297",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3297"
        },
        {
          "name": "RHSA-2019:3901",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3901"
        },
        {
          "name": "RHSA-2020:0727",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0727"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/issues/2387"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190814-0001/"
        },
        {
          "name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"
        },
        {
          "name": "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/kb/HT213189"
        },
        {
          "name": "20220314 APPLE-SA-2022-03-14-7 Xcode 13.3",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2022/Mar/23"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-14379",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[debian-lts-announce] 20190812 [SECURITY] [DLA 1879-1] jackson-databind security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html"
            },
            {
              "name": "[ambari-commits] 20190813 [ambari] branch branch-2.7 updated: AMBARI-25352 : Upgrade fasterxml jackson dependency due to CVE-2019-14379 (#3066)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f@%3Ccommits.ambari.apache.org%3E"
            },
            {
              "name": "[ambari-commits] 20190813 [ambari] branch trunk updated: AMBARI-25352 : Upgrade fasterxml jackson dependency due to CVE-2019-14379(trunk) (#3067)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a@%3Ccommits.ambari.apache.org%3E"
            },
            {
              "name": "[pulsar-commits] 20190822 [GitHub] [pulsar] massakam opened a new pull request #5011: [security] Upgrade jackson-databind",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb@%3Ccommits.pulsar.apache.org%3E"
            },
            {
              "name": "[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E"
            },
            {
              "name": "[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E"
            },
            {
              "name": "[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E"
            },
            {
              "name": "[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E"
            },
            {
              "name": "[tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E"
            },
            {
              "name": "[tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E"
            },
            {
              "name": "[struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E"
            },
            {
              "name": "[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E"
            },
            {
              "name": "[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E"
            },
            {
              "name": "RHSA-2019:2743",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2743"
            },
            {
              "name": "FEDORA-2019-99ff6aa32c",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/"
            },
            {
              "name": "FEDORA-2019-ae6a703b8f",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/"
            },
            {
              "name": "FEDORA-2019-fb23eccc03",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/"
            },
            {
              "name": "[tinkerpop-commits] 20190924 [GitHub] [tinkerpop] justinchuch opened a new pull request #1200: Upgrade jackson due to CVE issues",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E"
            },
            {
              "name": "RHSA-2019:2858",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2858"
            },
            {
              "name": "RHSA-2019:2937",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2937"
            },
            {
              "name": "RHSA-2019:2935",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2935"
            },
            {
              "name": "RHSA-2019:2936",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2936"
            },
            {
              "name": "RHSA-2019:2938",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2938"
            },
            {
              "name": "RHSA-2019:2998",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2998"
            },
            {
              "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue opened a new pull request #533: Update Jackson to 2.9.10 for CVE-2019-14379",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f@%3Cissues.iceberg.apache.org%3E"
            },
            {
              "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] mccheah opened a new pull request #535: Update Jackson to 2.9.10 for CVE-2019-14379",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d@%3Cissues.iceberg.apache.org%3E"
            },
            {
              "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815@%3Cissues.iceberg.apache.org%3E"
            },
            {
              "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] mccheah commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf@%3Cissues.iceberg.apache.org%3E"
            },
            {
              "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue closed pull request #533: Update Jackson to 2.9.10 for CVE-2019-14379",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17@%3Cissues.iceberg.apache.org%3E"
            },
            {
              "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue merged pull request #535: Update Jackson to 2.9.10 for CVE-2019-14379",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54@%3Cissues.iceberg.apache.org%3E"
            },
            {
              "name": "[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue commented on issue #533: Update Jackson to 2.9.10 for CVE-2019-14379",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d@%3Cissues.iceberg.apache.org%3E"
            },
            {
              "name": "RHBA-2019:2824",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHBA-2019:2824"
            },
            {
              "name": "RHSA-2019:3044",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3044"
            },
            {
              "name": "RHSA-2019:3045",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3045"
            },
            {
              "name": "RHSA-2019:3050",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3050"
            },
            {
              "name": "RHSA-2019:3046",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3046"
            },
            {
              "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
            },
            {
              "name": "RHSA-2019:3149",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3149"
            },
            {
              "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
            },
            {
              "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
            },
            {
              "name": "RHSA-2019:3200",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3200"
            },
            {
              "name": "[iceberg-issues] 20191027 [GitHub] [incubator-iceberg] rdsr commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E"
            },
            {
              "name": "RHSA-2019:3292",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3292"
            },
            {
              "name": "RHSA-2019:3297",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3297"
            },
            {
              "name": "RHSA-2019:3901",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3901"
            },
            {
              "name": "RHSA-2020:0727",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2020:0727"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
            },
            {
              "name": "https://github.com/FasterXML/jackson-databind/issues/2387",
              "refsource": "MISC",
              "url": "https://github.com/FasterXML/jackson-databind/issues/2387"
            },
            {
              "name": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2",
              "refsource": "MISC",
              "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190814-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190814-0001/"
            },
            {
              "name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E"
            },
            {
              "name": "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "name": "https://support.apple.com/kb/HT213189",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/kb/HT213189"
            },
            {
              "name": "20220314 APPLE-SA-2022-03-14-7 Xcode 13.3",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2022/Mar/23"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-14379",
    "datePublished": "2019-07-29T11:42:42",
    "dateReserved": "2019-07-29T00:00:00",
    "dateUpdated": "2024-08-05T00:19:40.551Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-25644 (GCVE-0-2020-25644)
Vulnerability from cvelistv5
Published
2020-10-06 00:00
Modified
2024-08-04 15:40
Severity ?
CWE
Summary
A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability.
References
https://issues.redhat.com/browse/WFSSL-51
https://github.com/wildfly-security/wildfly-openssl-natives/pull/4/files
https://bugzilla.redhat.com/show_bug.cgi?id=1885485
https://security.netapp.com/advisory/ntap-20201016-0004/
Impacted products
Vendor Product Version
n/a wildfly-openssl Version: before wildfly-openssl 1.1.3.Final
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:40:36.576Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://issues.redhat.com/browse/WFSSL-51"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/wildfly-security/wildfly-openssl-natives/pull/4/files"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1885485"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20201016-0004/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wildfly-openssl",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "before wildfly-openssl 1.1.3.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-07T00:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://issues.redhat.com/browse/WFSSL-51"
        },
        {
          "url": "https://github.com/wildfly-security/wildfly-openssl-natives/pull/4/files"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1885485"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20201016-0004/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-25644",
    "datePublished": "2020-10-06T00:00:00",
    "dateReserved": "2020-09-16T00:00:00",
    "dateUpdated": "2024-08-04T15:40:36.576Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-48795 (GCVE-0-2023-48795)
Vulnerability from cvelistv5
Published
2023-12-18 00:00
Modified
2025-05-14 19:34
Severity ?
CWE
  • n/a
Summary
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.
References
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
https://matt.ucc.asn.au/dropbear/CHANGES
https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES
https://www.netsarang.com/en/xshell-update-history/
https://www.paramiko.org/changelog.html
https://www.openssh.com/openbsd.html
https://github.com/openssh/openssh-portable/commits/master
https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ
https://www.bitvise.com/ssh-server-version-history
https://github.com/ronf/asyncssh/tags
https://gitlab.com/libssh/libssh-mirror/-/tags
https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/
https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42
https://www.openssh.com/txt/release-9.6
https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/
https://www.terrapin-attack.com
https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25
https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst
https://thorntech.com/cve-2023-48795-and-sftp-gateway/
https://github.com/warp-tech/russh/releases/tag/v0.40.2
https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0
https://www.openwall.com/lists/oss-security/2023/12/18/2
https://twitter.com/TrueSkrillor/status/1736774389725565005
https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d
https://github.com/paramiko/paramiko/issues/2337
https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg
https://news.ycombinator.com/item?id=38684904
https://news.ycombinator.com/item?id=38685286
http://www.openwall.com/lists/oss-security/2023/12/18/3mailing-list
https://github.com/mwiede/jsch/issues/457
https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6
https://github.com/erlang/otp/releases/tag/OTP-26.2.1
https://github.com/advisories/GHSA-45x7-px36-x8w8
https://security-tracker.debian.org/tracker/source-package/libssh2
https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg
https://security-tracker.debian.org/tracker/CVE-2023-48795
https://bugzilla.suse.com/show_bug.cgi?id=1217950
https://bugzilla.redhat.com/show_bug.cgi?id=2254210
https://bugs.gentoo.org/920280
https://ubuntu.com/security/CVE-2023-48795
https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/
https://access.redhat.com/security/cve/cve-2023-48795
https://github.com/mwiede/jsch/pull/461
https://github.com/drakkan/sftpgo/releases/tag/v2.5.6
https://github.com/libssh2/libssh2/pull/1291
https://forum.netgate.com/topic/184941/terrapin-ssh-attack
https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5
https://github.com/rapier1/hpn-ssh/releases
https://github.com/proftpd/proftpd/issues/456
https://github.com/TeraTermProject/teraterm/releases/tag/v5.1
https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15
https://oryx-embedded.com/download/#changelog
https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22
https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab
https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3
https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC
https://crates.io/crates/thrussh/versions
https://github.com/NixOS/nixpkgs/pull/275249
http://www.openwall.com/lists/oss-security/2023/12/19/5mailing-list
https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc
https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/
http://www.openwall.com/lists/oss-security/2023/12/20/3mailing-list
http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html
https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES
https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES
https://github.com/apache/mina-sshd/issues/445
https://github.com/hierynomus/sshj/issues/916
https://github.com/janmojzis/tinyssh/issues/81
https://www.openwall.com/lists/oss-security/2023/12/20/3
https://security-tracker.debian.org/tracker/source-package/trilead-ssh2
https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/vendor-advisory
https://www.debian.org/security/2023/dsa-5586vendor-advisory
https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508
https://www.theregister.com/2023/12/20/terrapin_attack_ssh
https://filezilla-project.org/versions.php
https://nova.app/releases/#v11.8
https://roumenpetrov.info/secsh/#news20231220
https://www.vandyke.com/products/securecrt/history.txt
https://help.panic.com/releasenotes/transmit5/
https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta
https://github.com/PowerShell/Win32-OpenSSH/issues/2189
https://winscp.net/eng/docs/history#6.2.2
https://www.bitvise.com/ssh-client-version-history#933
https://github.com/cyd01/KiTTY/issues/520
https://www.debian.org/security/2023/dsa-5588vendor-advisory
https://github.com/ssh-mitm/ssh-mitm/issues/165
https://news.ycombinator.com/item?id=38732005
https://lists.debian.org/debian-lts-announce/2023/12/msg00017.htmlmailing-list
https://security.gentoo.org/glsa/202312-16vendor-advisory
https://security.gentoo.org/glsa/202312-17vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/vendor-advisory
https://security.netapp.com/advisory/ntap-20240105-0004/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/vendor-advisory
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/vendor-advisory
https://lists.debian.org/debian-lts-announce/2024/01/msg00013.htmlmailing-list
https://lists.debian.org/debian-lts-announce/2024/01/msg00014.htmlmailing-list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/vendor-advisory
https://support.apple.com/kb/HT214084
http://seclists.org/fulldisclosure/2024/Mar/21mailing-list
https://lists.debian.org/debian-lts-announce/2024/04/msg00016.htmlmailing-list
http://www.openwall.com/lists/oss-security/2024/04/17/8mailing-list
http://www.openwall.com/lists/oss-security/2024/03/06/3mailing-list
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-14T19:34:00.891Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2023-48795-detect-openssh-vulnerabilit"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2023-48795-mitigate-openssh-vulnerability"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://matt.ucc.asn.au/dropbear/CHANGES"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.netsarang.com/en/xshell-update-history/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.paramiko.org/changelog.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openssh.com/openbsd.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/openssh/openssh-portable/commits/master"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.bitvise.com/ssh-server-version-history"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/ronf/asyncssh/tags"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gitlab.com/libssh/libssh-mirror/-/tags"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openssh.com/txt/release-9.6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.terrapin-attack.com"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/warp-tech/russh/releases/tag/v0.40.2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2023/12/18/2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://twitter.com/TrueSkrillor/status/1736774389725565005"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/paramiko/paramiko/issues/2337"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=38684904"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=38685286"
          },
          {
            "name": "[oss-security] 20231218 CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/12/18/3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/mwiede/jsch/issues/457"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10\u0026id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-45x7-px36-x8w8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security-tracker.debian.org/tracker/source-package/libssh2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security-tracker.debian.org/tracker/CVE-2023-48795"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.suse.com/show_bug.cgi?id=1217950"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugs.gentoo.org/920280"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://ubuntu.com/security/CVE-2023-48795"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/cve-2023-48795"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/mwiede/jsch/pull/461"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/libssh2/libssh2/pull/1291"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/rapier1/hpn-ssh/releases"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/proftpd/proftpd/issues/456"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://oryx-embedded.com/download/#changelog"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://crates.io/crates/thrussh/versions"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/NixOS/nixpkgs/pull/275249"
          },
          {
            "name": "[oss-security] 20231219 Re: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/12/19/5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/"
          },
          {
            "name": "[oss-security] 20231220 Re: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/12/20/3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/apache/mina-sshd/issues/445"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/hierynomus/sshj/issues/916"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/janmojzis/tinyssh/issues/81"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2023/12/20/3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16"
          },
          {
            "name": "FEDORA-2023-0733306be9",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/"
          },
          {
            "name": "DSA-5586",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5586"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://filezilla-project.org/versions.php"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://nova.app/releases/#v11.8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://roumenpetrov.info/secsh/#news20231220"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.vandyke.com/products/securecrt/history.txt"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://help.panic.com/releasenotes/transmit5/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://winscp.net/eng/docs/history#6.2.2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.bitvise.com/ssh-client-version-history#933"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/cyd01/KiTTY/issues/520"
          },
          {
            "name": "DSA-5588",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5588"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/ssh-mitm/ssh-mitm/issues/165"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=38732005"
          },
          {
            "name": "[debian-lts-announce] 20231226 [SECURITY] [DLA 3694-1] openssh security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html"
          },
          {
            "name": "GLSA-202312-16",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202312-16"
          },
          {
            "name": "GLSA-202312-17",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202312-17"
          },
          {
            "name": "FEDORA-2023-20feb865d8",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/"
          },
          {
            "name": "FEDORA-2023-cb8c606fbb",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/"
          },
          {
            "name": "FEDORA-2023-e77300e4b5",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/"
          },
          {
            "name": "FEDORA-2023-b87ec6cf47",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/"
          },
          {
            "name": "FEDORA-2023-153404713b",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240105-0004/"
          },
          {
            "name": "FEDORA-2024-3bb23c77f3",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/"
          },
          {
            "name": "FEDORA-2023-55800423a8",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/"
          },
          {
            "name": "FEDORA-2024-d946b9ad25",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/"
          },
          {
            "name": "FEDORA-2024-71c2c6526c",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/"
          },
          {
            "name": "FEDORA-2024-39a8c72ea9",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002"
          },
          {
            "name": "FEDORA-2024-ae653fb07b",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
          },
          {
            "name": "FEDORA-2024-2705241461",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/"
          },
          {
            "name": "FEDORA-2024-fb32950d11",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
          },
          {
            "name": "FEDORA-2024-7b08207cdb",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/"
          },
          {
            "name": "FEDORA-2024-06ebb70bdd",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/"
          },
          {
            "name": "[debian-lts-announce] 20240125 [SECURITY] [DLA 3718-1] php-phpseclib security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html"
          },
          {
            "name": "[debian-lts-announce] 20240125 [SECURITY] [DLA 3719-1] phpseclib security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html"
          },
          {
            "name": "FEDORA-2024-a53b24023d",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/"
          },
          {
            "name": "FEDORA-2024-3fd1bc9276",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT214084"
          },
          {
            "name": "20240313 APPLE-SA-03-07-2024-2 macOS Sonoma 14.4",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2024/Mar/21"
          },
          {
            "name": "[debian-lts-announce] 20240425 [SECURITY] [DLA 3794-1] putty security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html"
          },
          {
            "name": "[oss-security] 20240417 Terrapin vulnerability in Jenkins CLI client",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/04/17/8"
          },
          {
            "name": "[oss-security] 20240306 Multiple vulnerabilities in Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/06/3"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-48795",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": ""
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-19T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-01T03:55:20.399Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH\u0027s use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-01T18:06:23.972Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html"
        },
        {
          "url": "https://matt.ucc.asn.au/dropbear/CHANGES"
        },
        {
          "url": "https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES"
        },
        {
          "url": "https://www.netsarang.com/en/xshell-update-history/"
        },
        {
          "url": "https://www.paramiko.org/changelog.html"
        },
        {
          "url": "https://www.openssh.com/openbsd.html"
        },
        {
          "url": "https://github.com/openssh/openssh-portable/commits/master"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ"
        },
        {
          "url": "https://www.bitvise.com/ssh-server-version-history"
        },
        {
          "url": "https://github.com/ronf/asyncssh/tags"
        },
        {
          "url": "https://gitlab.com/libssh/libssh-mirror/-/tags"
        },
        {
          "url": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/"
        },
        {
          "url": "https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42"
        },
        {
          "url": "https://www.openssh.com/txt/release-9.6"
        },
        {
          "url": "https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/"
        },
        {
          "url": "https://www.terrapin-attack.com"
        },
        {
          "url": "https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25"
        },
        {
          "url": "https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst"
        },
        {
          "url": "https://thorntech.com/cve-2023-48795-and-sftp-gateway/"
        },
        {
          "url": "https://github.com/warp-tech/russh/releases/tag/v0.40.2"
        },
        {
          "url": "https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2023/12/18/2"
        },
        {
          "url": "https://twitter.com/TrueSkrillor/status/1736774389725565005"
        },
        {
          "url": "https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d"
        },
        {
          "url": "https://github.com/paramiko/paramiko/issues/2337"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg"
        },
        {
          "url": "https://news.ycombinator.com/item?id=38684904"
        },
        {
          "url": "https://news.ycombinator.com/item?id=38685286"
        },
        {
          "name": "[oss-security] 20231218 CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2023/12/18/3"
        },
        {
          "url": "https://github.com/mwiede/jsch/issues/457"
        },
        {
          "url": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10\u0026id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6"
        },
        {
          "url": "https://github.com/erlang/otp/releases/tag/OTP-26.2.1"
        },
        {
          "url": "https://github.com/advisories/GHSA-45x7-px36-x8w8"
        },
        {
          "url": "https://security-tracker.debian.org/tracker/source-package/libssh2"
        },
        {
          "url": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg"
        },
        {
          "url": "https://security-tracker.debian.org/tracker/CVE-2023-48795"
        },
        {
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=1217950"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210"
        },
        {
          "url": "https://bugs.gentoo.org/920280"
        },
        {
          "url": "https://ubuntu.com/security/CVE-2023-48795"
        },
        {
          "url": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/"
        },
        {
          "url": "https://access.redhat.com/security/cve/cve-2023-48795"
        },
        {
          "url": "https://github.com/mwiede/jsch/pull/461"
        },
        {
          "url": "https://github.com/drakkan/sftpgo/releases/tag/v2.5.6"
        },
        {
          "url": "https://github.com/libssh2/libssh2/pull/1291"
        },
        {
          "url": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack"
        },
        {
          "url": "https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5"
        },
        {
          "url": "https://github.com/rapier1/hpn-ssh/releases"
        },
        {
          "url": "https://github.com/proftpd/proftpd/issues/456"
        },
        {
          "url": "https://github.com/TeraTermProject/teraterm/releases/tag/v5.1"
        },
        {
          "url": "https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15"
        },
        {
          "url": "https://oryx-embedded.com/download/#changelog"
        },
        {
          "url": "https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update"
        },
        {
          "url": "https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22"
        },
        {
          "url": "https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab"
        },
        {
          "url": "https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3"
        },
        {
          "url": "https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC"
        },
        {
          "url": "https://crates.io/crates/thrussh/versions"
        },
        {
          "url": "https://github.com/NixOS/nixpkgs/pull/275249"
        },
        {
          "name": "[oss-security] 20231219 Re: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2023/12/19/5"
        },
        {
          "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc"
        },
        {
          "url": "https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/"
        },
        {
          "name": "[oss-security] 20231220 Re: CVE-2023-48795: Prefix Truncation Attacks in SSH Specification (Terrapin Attack)",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2023/12/20/3"
        },
        {
          "url": "http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html"
        },
        {
          "url": "https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES"
        },
        {
          "url": "https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES"
        },
        {
          "url": "https://github.com/apache/mina-sshd/issues/445"
        },
        {
          "url": "https://github.com/hierynomus/sshj/issues/916"
        },
        {
          "url": "https://github.com/janmojzis/tinyssh/issues/81"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2023/12/20/3"
        },
        {
          "url": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2"
        },
        {
          "url": "https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16"
        },
        {
          "name": "FEDORA-2023-0733306be9",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/"
        },
        {
          "name": "DSA-5586",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2023/dsa-5586"
        },
        {
          "url": "https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508"
        },
        {
          "url": "https://www.theregister.com/2023/12/20/terrapin_attack_ssh"
        },
        {
          "url": "https://filezilla-project.org/versions.php"
        },
        {
          "url": "https://nova.app/releases/#v11.8"
        },
        {
          "url": "https://roumenpetrov.info/secsh/#news20231220"
        },
        {
          "url": "https://www.vandyke.com/products/securecrt/history.txt"
        },
        {
          "url": "https://help.panic.com/releasenotes/transmit5/"
        },
        {
          "url": "https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta"
        },
        {
          "url": "https://github.com/PowerShell/Win32-OpenSSH/issues/2189"
        },
        {
          "url": "https://winscp.net/eng/docs/history#6.2.2"
        },
        {
          "url": "https://www.bitvise.com/ssh-client-version-history#933"
        },
        {
          "url": "https://github.com/cyd01/KiTTY/issues/520"
        },
        {
          "name": "DSA-5588",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2023/dsa-5588"
        },
        {
          "url": "https://github.com/ssh-mitm/ssh-mitm/issues/165"
        },
        {
          "url": "https://news.ycombinator.com/item?id=38732005"
        },
        {
          "name": "[debian-lts-announce] 20231226 [SECURITY] [DLA 3694-1] openssh security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html"
        },
        {
          "name": "GLSA-202312-16",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202312-16"
        },
        {
          "name": "GLSA-202312-17",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202312-17"
        },
        {
          "name": "FEDORA-2023-20feb865d8",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/"
        },
        {
          "name": "FEDORA-2023-cb8c606fbb",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/"
        },
        {
          "name": "FEDORA-2023-e77300e4b5",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/"
        },
        {
          "name": "FEDORA-2023-b87ec6cf47",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/"
        },
        {
          "name": "FEDORA-2023-153404713b",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240105-0004/"
        },
        {
          "name": "FEDORA-2024-3bb23c77f3",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/"
        },
        {
          "name": "FEDORA-2023-55800423a8",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/"
        },
        {
          "name": "FEDORA-2024-d946b9ad25",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/"
        },
        {
          "name": "FEDORA-2024-71c2c6526c",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/"
        },
        {
          "name": "FEDORA-2024-39a8c72ea9",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/"
        },
        {
          "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002"
        },
        {
          "name": "FEDORA-2024-ae653fb07b",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
        },
        {
          "name": "FEDORA-2024-2705241461",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/"
        },
        {
          "name": "FEDORA-2024-fb32950d11",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
        },
        {
          "name": "FEDORA-2024-7b08207cdb",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/"
        },
        {
          "name": "FEDORA-2024-06ebb70bdd",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/"
        },
        {
          "name": "[debian-lts-announce] 20240125 [SECURITY] [DLA 3718-1] php-phpseclib security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html"
        },
        {
          "name": "[debian-lts-announce] 20240125 [SECURITY] [DLA 3719-1] phpseclib security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html"
        },
        {
          "name": "FEDORA-2024-a53b24023d",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/"
        },
        {
          "name": "FEDORA-2024-3fd1bc9276",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/"
        },
        {
          "url": "https://support.apple.com/kb/HT214084"
        },
        {
          "name": "20240313 APPLE-SA-03-07-2024-2 macOS Sonoma 14.4",
          "tags": [
            "mailing-list"
          ],
          "url": "http://seclists.org/fulldisclosure/2024/Mar/21"
        },
        {
          "name": "[debian-lts-announce] 20240425 [SECURITY] [DLA 3794-1] putty security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html"
        },
        {
          "name": "[oss-security] 20240417 Terrapin vulnerability in Jenkins CLI client",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2024/04/17/8"
        },
        {
          "name": "[oss-security] 20240306 Multiple vulnerabilities in Jenkins plugins",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2024/03/06/3"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-48795",
    "datePublished": "2023-12-18T00:00:00.000Z",
    "dateReserved": "2023-11-20T00:00:00.000Z",
    "dateUpdated": "2025-05-14T19:34:00.891Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-14837 (GCVE-0-2019-14837)
Vulnerability from cvelistv5
Published
2020-01-07 16:33
Modified
2024-08-05 00:26
Severity ?
9.1 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE
Summary
A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14837x_refsource_CONFIRM
https://issues.jboss.org/browse/KEYCLOAK-10780x_refsource_CONFIRM
https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777fx_refsource_CONFIRM
Impacted products
Vendor Product Version
Red Hat keycloak Version: before 8.0.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:26:39.127Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14837"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://issues.jboss.org/browse/KEYCLOAK-10780"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "before 8.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in keycloack before version 8.0.0. The owner of \u0027placeholder.org\u0027 domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name \u0027test\u0027 the email address will be \u0027service-account-test@placeholder.org\u0027."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-547",
              "description": "CWE-547",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-01-07T16:33:21",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14837"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://issues.jboss.org/browse/KEYCLOAK-10780"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-14837",
    "datePublished": "2020-01-07T16:33:21",
    "dateReserved": "2019-08-10T00:00:00",
    "dateUpdated": "2024-08-05T00:26:39.127Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-1714 (GCVE-0-2020-1714)
Vulnerability from cvelistv5
Published
2020-05-13 18:25
Modified
2024-08-04 06:46
Severity ?
7.5 (High) - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
Summary
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714x_refsource_CONFIRM
https://github.com/keycloak/keycloak/pull/7053x_refsource_CONFIRM
Impacted products
Vendor Product Version
Red Hat keycloak Version: before 11.0.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T06:46:30.830Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/keycloak/keycloak/pull/7053"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "before 11.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-05-13T18:25:56",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/keycloak/keycloak/pull/7053"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-1714",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "before 11.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Red Hat"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "7.5/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714"
            },
            {
              "name": "https://github.com/keycloak/keycloak/pull/7053",
              "refsource": "CONFIRM",
              "url": "https://github.com/keycloak/keycloak/pull/7053"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-1714",
    "datePublished": "2020-05-13T18:25:56",
    "dateReserved": "2019-11-27T00:00:00",
    "dateUpdated": "2024-08-04T06:46:30.830Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-10695 (GCVE-0-2020-10695)
Vulnerability from cvelistv5
Published
2021-05-26 21:35
Modified
2024-08-04 11:06
Severity ?
CWE
Summary
An insecure modification flaw in the /etc/passwd file was found in the redhat-sso-7 container. An attacker with access to the container can use this flaw to modify the /etc/passwd and escalate their privileges.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1817530x_refsource_MISC
Impacted products
Vendor Product Version
n/a containers/redhat-sso-7 Version: redhat-sso 7.4.4
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:06:11.103Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1817530"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "containers/redhat-sso-7",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "redhat-sso 7.4.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An insecure modification flaw in the /etc/passwd file was found in the redhat-sso-7 container. An attacker with access to the container can use this flaw to modify the /etc/passwd and escalate their privileges."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "CWE-266",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-05-26T21:35:27",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1817530"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-10695",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "containers/redhat-sso-7",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "redhat-sso 7.4.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An insecure modification flaw in the /etc/passwd file was found in the redhat-sso-7 container. An attacker with access to the container can use this flaw to modify the /etc/passwd and escalate their privileges."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-266"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1817530",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1817530"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-10695",
    "datePublished": "2021-05-26T21:35:27",
    "dateReserved": "2020-03-20T00:00:00",
    "dateUpdated": "2024-08-04T11:06:11.103Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-12022 (GCVE-0-2018-12022)
Vulnerability from cvelistv5
Published
2019-03-17 18:14
Modified
2024-08-05 08:24
Severity ?
CWE
  • n/a
Summary
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
References
https://access.redhat.com/errata/RHSA-2019:0782vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:0877vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHBA-2019:0959vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:1107vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:1108vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:1106vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:1140vendor-advisory, x_refsource_REDHAT
https://www.debian.org/security/2019/dsa-4452vendor-advisory, x_refsource_DEBIAN
https://seclists.org/bugtraq/2019/May/68mailing-list, x_refsource_BUGTRAQ
https://access.redhat.com/errata/RHSA-2019:1782vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:1797vendor-advisory, x_refsource_REDHAT
http://www.securityfocus.com/bid/107585vdb-entry, x_refsource_BID
https://access.redhat.com/errata/RHSA-2019:1822vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:1823vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2804vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:2858vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d%40%3Cissues.lucene.apache.org%3Emailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2019:3002vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3140vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3Emailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2019:3149vendor-advisory, x_refsource_REDHAT
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3Emailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3Emailing-list, x_refsource_MLIST
https://access.redhat.com/errata/RHSA-2019:3892vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:4037vendor-advisory, x_refsource_REDHAT
https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062x_refsource_MISC
https://www.oracle.com/security-alerts/cpuapr2020.htmlx_refsource_MISC
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlx_refsource_MISC
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlx_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/x_refsource_MISC
https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdfx_refsource_MISC
https://security.netapp.com/advisory/ntap-20190530-0003/x_refsource_CONFIRM
https://www.oracle.com/security-alerts/cpuoct2020.htmlx_refsource_MISC
https://bugzilla.redhat.com/show_bug.cgi?id=1671098x_refsource_CONFIRM
https://github.com/FasterXML/jackson-databind/issues/2052x_refsource_CONFIRM
https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226ax_refsource_CONFIRM
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T08:24:03.619Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2019:0782",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0782"
          },
          {
            "name": "RHSA-2019:0877",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0877"
          },
          {
            "name": "RHBA-2019:0959",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHBA-2019:0959"
          },
          {
            "name": "RHSA-2019:1107",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1107"
          },
          {
            "name": "RHSA-2019:1108",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1108"
          },
          {
            "name": "RHSA-2019:1106",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1106"
          },
          {
            "name": "RHSA-2019:1140",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1140"
          },
          {
            "name": "DSA-4452",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4452"
          },
          {
            "name": "20190527 [SECURITY] [DSA 4452-1] jackson-databind security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/May/68"
          },
          {
            "name": "RHSA-2019:1782",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1782"
          },
          {
            "name": "RHSA-2019:1797",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1797"
          },
          {
            "name": "107585",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/107585"
          },
          {
            "name": "RHSA-2019:1822",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1822"
          },
          {
            "name": "RHSA-2019:1823",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1823"
          },
          {
            "name": "RHSA-2019:2804",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2804"
          },
          {
            "name": "RHSA-2019:2858",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2858"
          },
          {
            "name": "[lucene-issues] 20191004 [GitHub] [lucene-solr] marungo opened a new pull request #925: SOLR-13818: Upgrade jackson to 2.10.0",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d%40%3Cissues.lucene.apache.org%3E"
          },
          {
            "name": "RHSA-2019:3002",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3002"
          },
          {
            "name": "RHSA-2019:3140",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3140"
          },
          {
            "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
          },
          {
            "name": "RHSA-2019:3149",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3149"
          },
          {
            "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
          },
          {
            "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
          },
          {
            "name": "RHSA-2019:3892",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3892"
          },
          {
            "name": "RHSA-2019:4037",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4037"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190530-0003/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671098"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/FasterXML/jackson-databind/issues/2052"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2019-01-30T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-10-20T21:14:53",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "RHSA-2019:0782",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0782"
        },
        {
          "name": "RHSA-2019:0877",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0877"
        },
        {
          "name": "RHBA-2019:0959",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHBA-2019:0959"
        },
        {
          "name": "RHSA-2019:1107",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1107"
        },
        {
          "name": "RHSA-2019:1108",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1108"
        },
        {
          "name": "RHSA-2019:1106",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1106"
        },
        {
          "name": "RHSA-2019:1140",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1140"
        },
        {
          "name": "DSA-4452",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4452"
        },
        {
          "name": "20190527 [SECURITY] [DSA 4452-1] jackson-databind security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/May/68"
        },
        {
          "name": "RHSA-2019:1782",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1782"
        },
        {
          "name": "RHSA-2019:1797",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1797"
        },
        {
          "name": "107585",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/107585"
        },
        {
          "name": "RHSA-2019:1822",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1822"
        },
        {
          "name": "RHSA-2019:1823",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1823"
        },
        {
          "name": "RHSA-2019:2804",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2804"
        },
        {
          "name": "RHSA-2019:2858",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2858"
        },
        {
          "name": "[lucene-issues] 20191004 [GitHub] [lucene-solr] marungo opened a new pull request #925: SOLR-13818: Upgrade jackson to 2.10.0",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d%40%3Cissues.lucene.apache.org%3E"
        },
        {
          "name": "RHSA-2019:3002",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3002"
        },
        {
          "name": "RHSA-2019:3140",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3140"
        },
        {
          "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
        },
        {
          "name": "RHSA-2019:3149",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3149"
        },
        {
          "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
        },
        {
          "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
        },
        {
          "name": "RHSA-2019:3892",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3892"
        },
        {
          "name": "RHSA-2019:4037",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4037"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190530-0003/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671098"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/issues/2052"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-12022",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2019:0782",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0782"
            },
            {
              "name": "RHSA-2019:0877",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0877"
            },
            {
              "name": "RHBA-2019:0959",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHBA-2019:0959"
            },
            {
              "name": "RHSA-2019:1107",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1107"
            },
            {
              "name": "RHSA-2019:1108",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1108"
            },
            {
              "name": "RHSA-2019:1106",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1106"
            },
            {
              "name": "RHSA-2019:1140",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1140"
            },
            {
              "name": "DSA-4452",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4452"
            },
            {
              "name": "20190527 [SECURITY] [DSA 4452-1] jackson-databind security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/May/68"
            },
            {
              "name": "RHSA-2019:1782",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1782"
            },
            {
              "name": "RHSA-2019:1797",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1797"
            },
            {
              "name": "107585",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/107585"
            },
            {
              "name": "RHSA-2019:1822",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1822"
            },
            {
              "name": "RHSA-2019:1823",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1823"
            },
            {
              "name": "RHSA-2019:2804",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2804"
            },
            {
              "name": "RHSA-2019:2858",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2858"
            },
            {
              "name": "[lucene-issues] 20191004 [GitHub] [lucene-solr] marungo opened a new pull request #925: SOLR-13818: Upgrade jackson to 2.10.0",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E"
            },
            {
              "name": "RHSA-2019:3002",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3002"
            },
            {
              "name": "RHSA-2019:3140",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3140"
            },
            {
              "name": "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
            },
            {
              "name": "RHSA-2019:3149",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3149"
            },
            {
              "name": "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
            },
            {
              "name": "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
            },
            {
              "name": "RHSA-2019:3892",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3892"
            },
            {
              "name": "RHSA-2019:4037",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:4037"
            },
            {
              "name": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
              "refsource": "MISC",
              "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
            },
            {
              "name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
            },
            {
              "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/",
              "refsource": "MISC",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/"
            },
            {
              "name": "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf",
              "refsource": "MISC",
              "url": "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190530-0003/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190530-0003/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1671098",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671098"
            },
            {
              "name": "https://github.com/FasterXML/jackson-databind/issues/2052",
              "refsource": "CONFIRM",
              "url": "https://github.com/FasterXML/jackson-databind/issues/2052"
            },
            {
              "name": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a",
              "refsource": "CONFIRM",
              "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-12022",
    "datePublished": "2019-03-17T18:14:21",
    "dateReserved": "2018-06-07T00:00:00",
    "dateUpdated": "2024-08-05T08:24:03.619Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-2764 (GCVE-0-2022-2764)
Vulnerability from cvelistv5
Published
2022-09-01 00:00
Modified
2024-08-03 00:46
Severity ?
CWE
Summary
A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations.
References
https://bugzilla.redhat.com/show_bug.cgi?id=2117506
https://security.netapp.com/advisory/ntap-20221014-0006/
Impacted products
Vendor Product Version
n/a undertow Version: undertow 2.x
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:46:04.429Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20221014-0006/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "undertow",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "undertow 2.x"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-14T00:00:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20221014-0006/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-2764",
    "datePublished": "2022-09-01T00:00:00",
    "dateReserved": "2022-08-11T00:00:00",
    "dateUpdated": "2024-08-03T00:46:04.429Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-1932 (GCVE-0-2023-1932)
Vulnerability from cvelistv5
Published
2024-11-07 10:00
Modified
2024-11-07 14:09
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.
References
https://access.redhat.com/security/cve/CVE-2023-1932vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=1809444issue-tracking, x_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat A-MQ Clients 2     cpe:/a:redhat:a_mq_clients:2
 Create a notification for this product.
   Red Hat Cryostat 2     cpe:/a:redhat:cryostat:2
 Create a notification for this product.
   Red Hat Red Hat AMQ Broker 7     cpe:/a:redhat:amq_broker:7
 Create a notification for this product.
   Red Hat Red Hat A-MQ Online     cpe:/a:redhat:amq_online:1
 Create a notification for this product.
   Red Hat Red Hat BPM Suite 6     cpe:/a:redhat:jboss_enterprise_bpms_platform:6
 Create a notification for this product.
   Red Hat Red Hat CodeReady Studio 12     cpe:/a:redhat:jboss_developer_studio:12.
 Create a notification for this product.
   Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
 Create a notification for this product.
   Red Hat Red Hat Decision Manager 7     cpe:/a:redhat:jboss_enterprise_brms_platform:7
 Create a notification for this product.
   Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
 Create a notification for this product.
   Red Hat Red Hat JBoss BRMS 5     cpe:/a:redhat:jboss_enterprise_brms_platform:5
 Create a notification for this product.
   Red Hat Red Hat JBoss Data Grid 7     cpe:/a:redhat:jboss_data_grid:7
 Create a notification for this product.
   Red Hat Red Hat JBoss Data Virtualization 6     cpe:/a:redhat:jboss_data_virtualization:6
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 5     cpe:/a:redhat:jboss_enterprise_application_platform:5
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 6     cpe:/a:redhat:jboss_enterprise_application_platform:6
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7     cpe:/a:redhat:jboss_enterprise_application_platform:7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform Continuous Delivery     cpe:/a:redhat:jboss_enterprise_application_platform_cd
 Create a notification for this product.
   Red Hat Red Hat JBoss Fuse 6     cpe:/a:redhat:jboss_fuse:6
 Create a notification for this product.
   Red Hat Red Hat JBoss Fuse Service Works 6     cpe:/a:redhat:jboss_fuse_service_works:6
 Create a notification for this product.
   Red Hat Red Hat JBoss Operations Network 3     cpe:/a:redhat:jboss_operations_network:3
 Create a notification for this product.
   Red Hat Red Hat JBoss SOA Platform 5     cpe:/a:redhat:jboss_enterprise_soa_platform:5
 Create a notification for this product.
   Red Hat Red Hat OpenStack Platform 10 (Newton)     cpe:/a:redhat:openstack:10
 Create a notification for this product.
   Red Hat Red Hat OpenStack Platform 13 (Queens)     cpe:/a:redhat:openstack:13
 Create a notification for this product.
   Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
 Create a notification for this product.
   Red Hat Red Hat Satellite 6     cpe:/a:redhat:satellite:6
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
 Create a notification for this product.
   Red Hat Red Hat support for Spring Boot     cpe:/a:redhat:openshift_application_runtimes:1.0
 Create a notification for this product.
   Red Hat streams for Apache Kafka     cpe:/a:redhat:amq_streams:1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-1932",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-07T14:09:13.280925Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-07T14:09:26.936Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:a_mq_clients:2"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.apache.logging.log4j-log4j",
          "product": "A-MQ Clients 2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:cryostat:2"
          ],
          "defaultStatus": "unaffected",
          "packageName": "hibernate-validator",
          "product": "Cryostat 2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:amq_broker:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "hibernate-validator",
          "product": "Red Hat AMQ Broker 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:amq_online:1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "io.enmasse-enmasse",
          "product": "Red Hat A-MQ Online",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat BPM Suite 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_developer_studio:12."
          ],
          "defaultStatus": "affected",
          "packageName": "hibernate-validator",
          "product": "Red Hat CodeReady Studio 12",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "hibernate-validator",
          "product": "Red Hat Data Grid 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat Decision Manager 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat Fuse 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_brms_platform:5"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss BRMS 5",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss Data Grid 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_data_virtualization:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss Data Virtualization 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:5"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss Enterprise Application Platform 5",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss Enterprise Application Platform 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7"
          ],
          "defaultStatus": "affected",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss Enterprise Application Platform 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_cd"
          ],
          "defaultStatus": "affected",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss Enterprise Application Platform Continuous Delivery",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss Fuse 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse_service_works:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss Fuse Service Works 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_operations_network:3"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss Operations Network 3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_soa_platform:5"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat JBoss SOA Platform 5",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:10"
          ],
          "defaultStatus": "unknown",
          "packageName": "opendaylight",
          "product": "Red Hat OpenStack Platform 10 (Newton)",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:13"
          ],
          "defaultStatus": "affected",
          "packageName": "opendaylight",
          "product": "Red Hat OpenStack Platform 13 (Queens)",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat Process Automation 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:satellite:6"
          ],
          "defaultStatus": "affected",
          "packageName": "candlepin",
          "product": "Red Hat Satellite 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7"
          ],
          "defaultStatus": "affected",
          "packageName": "hibernate-validator",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_application_runtimes:1.0"
          ],
          "defaultStatus": "unknown",
          "packageName": "hibernate-validator",
          "product": "Red Hat support for Spring Boot",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:amq_streams:1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "hibernate-validator",
          "product": "streams for Apache Kafka",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Christian Kistner (SySS GmbH) and Moritz Bechler (SySS GmbH) for reporting this issue."
        }
      ],
      "datePublic": "2024-02-07T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in hibernate-validator\u0027s \u0027isValid\u0027 method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-07T10:00:51.745Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-1932"
        },
        {
          "name": "RHBZ#1809444",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1809444"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2020-02-27T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-02-07T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Hibernate-validator: rendering of invalid html with safehtml leads to html injection and xss"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-1932",
    "datePublished": "2024-11-07T10:00:51.745Z",
    "dateReserved": "2023-04-06T20:10:01.569Z",
    "dateUpdated": "2024-11-07T14:09:26.936Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-14297 (GCVE-0-2020-14297)
Vulnerability from cvelistv5
Published
2020-07-24 15:37
Modified
2024-10-15 17:14
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE
Summary
A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take advantage and cause denial of service attack and make services unavailable.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14297x_refsource_CONFIRM
Impacted products
Vendor Product Version
Red Hat wildfly Version: jboss-ejb-client as shipped with Red Hat JBoss EAP 7
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T12:39:36.271Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14297"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2020-14297",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-15T17:09:41.879622Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-15T17:14:53.962Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wildfly",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "jboss-ejb-client as shipped with Red Hat JBoss EAP 7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was discovered in Wildfly\u0027s EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take advantage and cause denial of service attack and make services unavailable."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-24T15:37:25",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14297"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-14297",
    "datePublished": "2020-07-24T15:37:25",
    "dateReserved": "2020-06-17T00:00:00",
    "dateUpdated": "2024-10-15T17:14:53.962Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-0264 (GCVE-0-2023-0264)
Vulnerability from cvelistv5
Published
2023-08-04 17:09
Modified
2024-08-02 05:02
Severity ?
Summary
A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availability.
References
https://access.redhat.com/security/cve/CVE-2023-0264
Impacted products
Vendor Product Version
redhat.com Keycloak Version: 18.0.6   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T05:02:44.110Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-0264"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Keycloak",
          "vendor": "redhat.com",
          "versions": [
            {
              "lessThan": "18.0.6",
              "status": "affected",
              "version": "18.0.6",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availability."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-04T17:09:27.693Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://access.redhat.com/security/cve/CVE-2023-0264"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-0264",
    "datePublished": "2023-08-04T17:09:27.693Z",
    "dateReserved": "2023-01-12T23:10:37.812Z",
    "dateUpdated": "2024-08-02T05:02:44.110Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-6563 (GCVE-0-2023-6563)
Vulnerability from cvelistv5
Published
2023-12-14 18:01
Modified
2025-03-15 03:33
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CWE
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.
References
https://access.redhat.com/errata/RHSA-2023:7854vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7855vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7856vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7857vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7858vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-6563vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2253308issue-tracking, x_refsource_REDHAT
https://github.com/keycloak/keycloak/issues/13340
Impacted products
Vendor Product Version
Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.11-2.redhat_00003.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.11-2.redhat_00003.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.11-2.redhat_00003.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-38   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6.6-2   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
   Red Hat Single Sign-On 7.6.6     cpe:/a:redhat:red_hat_single_sign_on:7.6.6
 Create a notification for this product.
   Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:35:14.663Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2023:7854",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7854"
          },
          {
            "name": "RHSA-2023:7855",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7855"
          },
          {
            "name": "RHSA-2023:7856",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7856"
          },
          {
            "name": "RHSA-2023:7857",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7857"
          },
          {
            "name": "RHSA-2023:7858",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7858"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-6563"
          },
          {
            "name": "RHBZ#2253308",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253308"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/keycloak/keycloak/issues/13340"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.11-2.redhat_00003.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.11-2.redhat_00003.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.11-2.redhat_00003.1.el9sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-38",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso7-rhel8-operator-bundle",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6.6-2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6.6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak-core",
          "product": "Single Sign-On 7.6.6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak-core",
          "product": "Red Hat Build of Keycloak",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2023-12-14T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (\u003e 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the \"consents\" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-15T03:33:57.850Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:7854",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7854"
        },
        {
          "name": "RHSA-2023:7855",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7855"
        },
        {
          "name": "RHSA-2023:7856",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7856"
        },
        {
          "name": "RHSA-2023:7857",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7857"
        },
        {
          "name": "RHSA-2023:7858",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7858"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-6563"
        },
        {
          "name": "RHBZ#2253308",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253308"
        },
        {
          "url": "https://github.com/keycloak/keycloak/issues/13340"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-12-06T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-12-14T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: offline session token dos",
      "workarounds": [
        {
          "lang": "en",
          "value": "There are three main options to prevent exploitation:\n1) If you are using a reverse proxy, block the consents URL.\n2) This option is less effective: remove the consents application tab from the account console theme.\n3) This option has a significant negative impact on end users: entirely disable offline user profiles."
        }
      ],
      "x_redhatCweChain": "CWE-770: Allocation of Resources Without Limits or Throttling"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-6563",
    "datePublished": "2023-12-14T18:01:26.005Z",
    "dateReserved": "2023-12-06T18:47:35.594Z",
    "dateUpdated": "2025-03-15T03:33:57.850Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-4104 (GCVE-0-2021-4104)
Vulnerability from cvelistv5
Published
2021-12-14 00:00
Modified
2024-08-03 17:16
Severity ?
CWE
  • CWE-502 - Deserialization of Untrusted Data
Summary
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
References
https://www.cve.org/CVERecord?id=CVE-2021-44228
https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
https://access.redhat.com/security/cve/CVE-2021-4104
https://www.kb.cert.org/vuls/id/930724third-party-advisory
http://www.openwall.com/lists/oss-security/2022/01/18/3mailing-list
https://www.oracle.com/security-alerts/cpujan2022.html
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033
https://security.netapp.com/advisory/ntap-20211223-0007/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://security.gentoo.org/glsa/202209-02vendor-advisory
https://security.gentoo.org/glsa/202310-16vendor-advisory
https://security.gentoo.org/glsa/202312-02vendor-advisory
https://security.gentoo.org/glsa/202312-04vendor-advisory
Impacted products
Vendor Product Version
Apache Software Foundation Apache Log4j 1.x Version: Apache Log4j 1.2 1.2.x
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:16:04.172Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2021-4104"
          },
          {
            "name": "VU#930724",
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://www.kb.cert.org/vuls/id/930724"
          },
          {
            "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20211223-0007/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "name": "GLSA-202209-02",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202209-02"
          },
          {
            "name": "GLSA-202310-16",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202310-16"
          },
          {
            "name": "GLSA-202312-02",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202312-02"
          },
          {
            "name": "GLSA-202312-04",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202312-04"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Log4j 1.x",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "Apache Log4j 1.2 1.2.x"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-22T09:06:15.357899",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
        },
        {
          "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2021-4104"
        },
        {
          "name": "VU#930724",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.kb.cert.org/vuls/id/930724"
        },
        {
          "name": "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20211223-0007/"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        },
        {
          "name": "GLSA-202209-02",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202209-02"
        },
        {
          "name": "GLSA-202310-16",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202310-16"
        },
        {
          "name": "GLSA-202312-02",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202312-02"
        },
        {
          "name": "GLSA-202312-04",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202312-04"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-4104",
    "datePublished": "2021-12-14T00:00:00",
    "dateReserved": "2021-12-13T00:00:00",
    "dateUpdated": "2024-08-03T17:16:04.172Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-27826 (GCVE-0-2020-27826)
Vulnerability from cvelistv5
Published
2021-05-28 10:20
Modified
2024-08-04 16:25
Severity ?
CWE
Summary
A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1905089x_refsource_MISC
Impacted products
Vendor Product Version
n/a keycloak Version: keycloak 12.0.0
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:25:43.149Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1905089"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "keycloak 12.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user\u0027s metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-250",
              "description": "CWE-250",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-05-28T10:20:30",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1905089"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-27826",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "keycloak 12.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user\u0027s metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-250"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1905089",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1905089"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-27826",
    "datePublished": "2021-05-28T10:20:30",
    "dateReserved": "2020-10-27T00:00:00",
    "dateUpdated": "2024-08-04T16:25:43.149Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-1132 (GCVE-0-2024-1132)
Vulnerability from cvelistv5
Published
2024-04-17 13:21
Modified
2025-07-08 05:01
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
References
https://access.redhat.com/errata/RHSA-2024:1860vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1861vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1862vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1864vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1866vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1867vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1868vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2945vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3752vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3762vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3919vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3989vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-1132vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2262117issue-tracking, x_refsource_REDHAT
Impacted products
Vendor Product Version
Version: 21.1.0   
Version: 23.0.0   
Create a notification for this product.
   Red Hat Migration Toolkit for Runtimes 1 on RHEL 8 Unaffected: 1.2-23   < *
    cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
 Create a notification for this product.
   Red Hat Migration Toolkit for Runtimes 1 on RHEL 8 Unaffected: 1.2-15   < *
    cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
 Create a notification for this product.
   Red Hat Migration Toolkit for Runtimes 1 on RHEL 8 Unaffected: 1.2-16   < *
    cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
 Create a notification for this product.
   Red Hat Migration Toolkit for Runtimes 1 on RHEL 8 Unaffected: 1.2-14   < *
    cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8
 Create a notification for this product.
   Red Hat MTA-6.2-RHEL-9 Unaffected: 6.2.3-2   < *
    cpe:/a:redhat:migration_toolkit_applications:6.2::el8
    cpe:/a:redhat:migration_toolkit_applications:6.2::el9
 Create a notification for this product.
   Red Hat Red Hat AMQ Broker 7     cpe:/a:redhat:amq_broker:7.10
 Create a notification for this product.
   Red Hat Red Hat AMQ Broker 7     cpe:/a:redhat:amq_broker:7.11
 Create a notification for this product.
   Red Hat Red Hat AMQ Broker 7     cpe:/a:redhat:amq_broker:7.12
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22 Unaffected: 22.0.10-1   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22 Unaffected: 22-13   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22 Unaffected: 22-16   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22.0.10     cpe:/a:redhat:build_keycloak:22
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.13-1.redhat_00001.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.13-1.redhat_00001.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.13-1.redhat_00001.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-46   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
   Red Hat RHSSO 7.6.8     cpe:/a:redhat:red_hat_single_sign_on:7.6
 Create a notification for this product.
   Red Hat Red Hat build of Apicurio Registry 2     cpe:/a:redhat:service_registry:2
 Create a notification for this product.
   Red Hat Red Hat build of Quarkus     cpe:/a:redhat:quarkus:3
 Create a notification for this product.
   Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
 Create a notification for this product.
   Red Hat Red Hat Decision Manager 7     cpe:/a:redhat:jboss_enterprise_brms_platform:7
 Create a notification for this product.
   Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
 Create a notification for this product.
   Red Hat Red Hat JBoss Data Grid 7     cpe:/a:redhat:jboss_data_grid:7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 6     cpe:/a:redhat:jboss_enterprise_application_platform:6
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7     cpe:/a:redhat:jboss_enterprise_application_platform:7
 Create a notification for this product.
   Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-1132",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-23T18:37:10.567431Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-22",
                "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:59:39.871Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T18:26:30.564Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2024:1860",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1860"
          },
          {
            "name": "RHSA-2024:1861",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1861"
          },
          {
            "name": "RHSA-2024:1862",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1862"
          },
          {
            "name": "RHSA-2024:1864",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1864"
          },
          {
            "name": "RHSA-2024:1866",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1866"
          },
          {
            "name": "RHSA-2024:1867",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1867"
          },
          {
            "name": "RHSA-2024:1868",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1868"
          },
          {
            "name": "RHSA-2024:2945",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:2945"
          },
          {
            "name": "RHSA-2024:3752",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:3752"
          },
          {
            "name": "RHSA-2024:3762",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:3762"
          },
          {
            "name": "RHSA-2024:3919",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:3919"
          },
          {
            "name": "RHSA-2024:3989",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:3989"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2024-1132"
          },
          {
            "name": "RHBZ#2262117",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262117"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/keycloak/keycloak",
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "versions": [
            {
              "lessThan": "22.0.10",
              "status": "affected",
              "version": "21.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "24.0.3",
              "status": "affected",
              "version": "23.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "mtr/mtr-operator-bundle",
          "product": "Migration Toolkit for Runtimes 1 on RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.2-23",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "mtr/mtr-rhel8-operator",
          "product": "Migration Toolkit for Runtimes 1 on RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.2-15",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "mtr/mtr-web-container-rhel8",
          "product": "Migration Toolkit for Runtimes 1 on RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.2-16",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "mtr/mtr-web-executor-container-rhel8",
          "product": "Migration Toolkit for Runtimes 1 on RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.2-14",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:migration_toolkit_applications:6.2::el8",
            "cpe:/a:redhat:migration_toolkit_applications:6.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "mta/mta-windup-addon-rhel9",
          "product": "MTA-6.2-RHEL-9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "6.2.3-2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:amq_broker:7.10"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat AMQ Broker 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:amq_broker:7.11"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat AMQ Broker 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:amq_broker:7.12"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat AMQ Broker 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22.0.10-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22-13",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22-16",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat build of Keycloak 22.0.10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.13-1.redhat_00001.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.13-1.redhat_00001.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.13-1.redhat_00001.1.el9sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-46",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "RHSSO 7.6.8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:service_registry:2"
          ],
          "defaultStatus": "affected",
          "packageName": "keycloak",
          "product": "Red Hat build of Apicurio Registry 2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:3"
          ],
          "defaultStatus": "affected",
          "packageName": "org.keycloak/keycloak-core",
          "product": "Red Hat build of Quarkus",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.wildfly.security-wildfly-elytron-parent",
          "product": "Red Hat Data Grid 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "keycloak",
          "product": "Red Hat Decision Manager 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse:7"
          ],
          "defaultStatus": "affected",
          "packageName": "keycloak",
          "product": "Red Hat Fuse 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "product": "Red Hat JBoss Data Grid 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "keycloak",
          "product": "Red Hat JBoss Enterprise Application Platform 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak-core",
          "product": "Red Hat JBoss Enterprise Application Platform 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
          ],
          "defaultStatus": "affected",
          "packageName": "keycloak",
          "product": "Red Hat Process Automation 7",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Axel Flamcourt for reporting this issue."
        }
      ],
      "datePublic": "2024-04-16T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-08T05:01:18.927Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2024:1860",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1860"
        },
        {
          "name": "RHSA-2024:1861",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1861"
        },
        {
          "name": "RHSA-2024:1862",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1862"
        },
        {
          "name": "RHSA-2024:1864",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1864"
        },
        {
          "name": "RHSA-2024:1866",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1866"
        },
        {
          "name": "RHSA-2024:1867",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1867"
        },
        {
          "name": "RHSA-2024:1868",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1868"
        },
        {
          "name": "RHSA-2024:2945",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:2945"
        },
        {
          "name": "RHSA-2024:3752",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:3752"
        },
        {
          "name": "RHSA-2024:3762",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:3762"
        },
        {
          "name": "RHSA-2024:3919",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:3919"
        },
        {
          "name": "RHSA-2024:3989",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:3989"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-1132"
        },
        {
          "name": "RHBZ#2262117",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262117"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-01-31T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-04-16T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: path transversal in redirection validation",
      "workarounds": [
        {
          "lang": "en",
          "value": "No current mitigation is available for this vulnerability."
        }
      ],
      "x_redhatCweChain": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-1132",
    "datePublished": "2024-04-17T13:21:19.130Z",
    "dateReserved": "2024-01-31T17:07:33.455Z",
    "dateUpdated": "2025-07-08T05:01:18.927Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-1724 (GCVE-0-2020-1724)
Vulnerability from cvelistv5
Published
2020-05-11 20:10
Modified
2024-08-04 06:46
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE
Summary
A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1724x_refsource_CONFIRM
Impacted products
Vendor Product Version
Red Hat keycloak Version: All versions before 9.0.2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T06:46:30.888Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1724"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "All versions before 9.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-05-11T20:10:24",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1724"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-1724",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions before 9.0.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Red Hat"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "4.3/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-613"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1724",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1724"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-1724",
    "datePublished": "2020-05-11T20:10:24",
    "dateReserved": "2019-11-27T00:00:00",
    "dateUpdated": "2024-08-04T06:46:30.888Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-5379 (GCVE-0-2023-5379)
Vulnerability from cvelistv5
Published
2023-12-12 21:54
Modified
2025-06-25 00:41
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This issue could allow a malicious user could to repeatedly send requests that exceed the max-header-size, causing a Denial of Service (DoS).
References
https://access.redhat.com/errata/RHSA-2023:4509vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2025:9582vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2025:9583vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-5379vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2242099issue-tracking, x_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat Red Hat JBoss Enterprise Application Platform 7     cpe:/a:redhat:jboss_enterprise_application_platform:7.4
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:3.0.1-4.b08_redhat_00005.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:5.1.17-3.Final_redhat_00004.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:2.8.11.6-3.SP1_redhat_00003.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:4.0.12-1.Final_redhat_00002.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:4.1.63-2.Final_redhat_00003.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:1.4.18-16.SP14_redhat_00001.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:7.1.11-4.GA_redhat_00002.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:1.1.14-1.Final_redhat_00001.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:1.0.21-1.Final_redhat_00001.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:1.0.13-1.Final_redhat_00001.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:1.0.12-1.Final_redhat_00001.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Unaffected: 0:1.0.12-6.Final_redhat_00001.1.ep7.el7   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:2.10.4-3.redhat_00006.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:2.10.4-3.redhat_00006.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:2.10.4-5.redhat_00006.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:2.10.4-3.redhat_00006.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:2.10.4-5.redhat_00006.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:2.10.4-2.redhat_00006.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:1.7.2-16.Final_redhat_00017.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:4.1.63-5.Final_redhat_00003.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:2.0.41-4.SP5_redhat_00001.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:7.3.14-3.GA_redhat_00002.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Unaffected: 0:1.10.17-1.Final_redhat_00001.1.el7eap   < *
    cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
 Create a notification for this product.
   Red Hat Red Hat build of Quarkus     cpe:/a:redhat:quarkus:2
 Create a notification for this product.
   Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
 Create a notification for this product.
   Red Hat Red Hat Decision Manager 7     cpe:/a:redhat:jboss_enterprise_brms_platform:7
 Create a notification for this product.
   Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
 Create a notification for this product.
   Red Hat Red Hat JBoss Data Grid 7     cpe:/a:redhat:jboss_data_grid:7
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 7     cpe:/a:redhat:jboss_enterprise_application_platform:7
 Create a notification for this product.
   Red Hat Red Hat JBoss Fuse 6     cpe:/a:redhat:jboss_fuse:6
 Create a notification for this product.
   Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7
 Create a notification for this product.
   Red Hat Red Hat support for Spring Boot     cpe:/a:redhat:openshift_application_runtimes:1.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:59:43.927Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2023:4509",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:4509"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-5379"
          },
          {
            "name": "RHBZ#2242099",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242099"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-5379",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2023-12-18T21:09:22.233848Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-02T14:30:02.796Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7.4"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat JBoss Enterprise Application Platform 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-glassfish-el",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:3.0.1-4.b08_redhat_00005.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-hibernate",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:5.1.17-3.Final_redhat_00004.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-jackson-databind",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.8.11.6-3.SP1_redhat_00003.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-jboss-ejb-client",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.0.12-1.Final_redhat_00002.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-netty",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.1.63-2.Final_redhat_00003.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.4.18-16.SP14_redhat_00001.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-wildfly",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:7.1.11-4.GA_redhat_00002.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-wildfly-elytron",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.1.14-1.Final_redhat_00001.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-wildfly-http-client",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.0.21-1.Final_redhat_00001.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-wildfly-naming-client",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.0.13-1.Final_redhat_00001.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-wildfly-openssl",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.0.12-1.Final_redhat_00001.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-wildfly-openssl-linux",
          "product": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.0.12-6.Final_redhat_00001.1.ep7.el7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-jackson-annotations",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.10.4-3.redhat_00006.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-jackson-core",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.10.4-3.redhat_00006.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-jackson-databind",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.10.4-5.redhat_00006.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-jackson-jaxrs-providers",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.10.4-3.redhat_00006.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-jackson-modules-base",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.10.4-5.redhat_00006.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-jackson-modules-java8",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.10.4-2.redhat_00006.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-jboss-server-migration",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.7.2-16.Final_redhat_00017.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-netty",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.1.63-5.Final_redhat_00003.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.0.41-4.SP5_redhat_00001.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-wildfly",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:7.3.14-3.GA_redhat_00002.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "eap7-wildfly-elytron",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.10.17-1.Final_redhat_00001.1.el7eap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:2"
          ],
          "defaultStatus": "unaffected",
          "packageName": "io.quarkus/quarkus-undertow",
          "product": "Red Hat build of Quarkus",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat Data Grid 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "undertow",
          "product": "Red Hat Decision Manager 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "undertow",
          "product": "Red Hat Fuse 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_data_grid:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "undertow",
          "product": "Red Hat JBoss Data Grid 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat JBoss Enterprise Application Platform 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "undertow",
          "product": "Red Hat JBoss Fuse 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "undertow",
          "product": "Red Hat Process Automation 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7"
          ],
          "defaultStatus": "affected",
          "packageName": "undertow",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift_application_runtimes:1.0"
          ],
          "defaultStatus": "unaffected",
          "packageName": "undertow",
          "product": "Red Hat support for Spring Boot",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2023-12-12T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This issue could allow a malicious user could to repeatedly send requests that exceed the max-header-size, causing a Denial of Service (DoS)."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-25T00:41:33.518Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:4509",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:4509"
        },
        {
          "name": "RHSA-2025:9582",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:9582"
        },
        {
          "name": "RHSA-2025:9583",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:9583"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-5379"
        },
        {
          "name": "RHBZ#2242099",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242099"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-10-04T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-12-12T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Undertow: ajp request closes connection exceeding maxrequestsize",
      "x_redhatCweChain": "CWE-400-\u003eCWE-770: Uncontrolled Resource Consumption leads to Allocation of Resources Without Limits or Throttling"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-5379",
    "datePublished": "2023-12-12T21:54:52.669Z",
    "dateReserved": "2023-10-04T11:52:15.504Z",
    "dateUpdated": "2025-06-25T00:41:33.518Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-10157 (GCVE-0-2019-10157)
Vulnerability from cvelistv5
Published
2019-06-12 13:48
Modified
2024-08-04 22:10
Severity ?
4.7 (Medium) - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE
Summary
It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely.
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10157x_refsource_CONFIRM
http://www.securityfocus.com/bid/108734vdb-entry, x_refsource_BID
Impacted products
Vendor Product Version
Red Hat keycloak Version: 4.8.3
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:10:10.057Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10157"
          },
          {
            "name": "108734",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/108734"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "4.8.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that Keycloak\u0027s Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-06-12T14:06:05",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10157"
        },
        {
          "name": "108734",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/108734"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-10157",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "keycloak",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "4.8.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Red Hat"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "It was found that Keycloak\u0027s Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "4.7/CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-345"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10157",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10157"
            },
            {
              "name": "108734",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/108734"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-10157",
    "datePublished": "2019-06-12T13:48:42",
    "dateReserved": "2019-03-27T00:00:00",
    "dateUpdated": "2024-08-04T22:10:10.057Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-0105 (GCVE-0-2023-0105)
Vulnerability from cvelistv5
Published
2023-01-11 20:46
Modified
2025-04-09 13:47
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CWE
  • n/a
Summary
A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.
References
https://access.redhat.com/security/cve/CVE-2023-0105
Impacted products
Vendor Product Version
redhat.com Keycloak Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T05:02:43.468Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-0105"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-0105",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-09T13:47:18.022932Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-287",
                "description": "CWE-287 Improper Authentication",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-09T13:47:22.306Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Keycloak",
          "vendor": "redhat.com",
          "versions": [
            {
              "status": "unknown",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-13T04:22:02.451Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://access.redhat.com/security/cve/CVE-2023-0105"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-0105",
    "datePublished": "2023-01-11T20:46:51.617Z",
    "dateReserved": "2023-01-06T22:29:12.661Z",
    "dateUpdated": "2025-04-09T13:47:22.306Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-1274 (GCVE-0-2022-1274)
Vulnerability from cvelistv5
Published
2023-03-29 00:00
Modified
2024-08-02 23:55
Severity ?
CWE
Summary
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.
References
https://bugzilla.redhat.com/show_bug.cgi?id=2073157
https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725
https://herolab.usd.de/security-advisories/usd-2021-0033/
Impacted products
Vendor Product Version
n/a keycloak Version: unknown
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:55:24.548Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://herolab.usd.de/security-advisories/usd-2021-0033/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "keycloak",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "unknown"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-80",
              "description": "CWE-80",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-22T15:18:27.821594",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
        },
        {
          "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
        },
        {
          "url": "https://herolab.usd.de/security-advisories/usd-2021-0033/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-1274",
    "datePublished": "2023-03-29T00:00:00",
    "dateReserved": "2022-04-08T00:00:00",
    "dateUpdated": "2024-08-02T23:55:24.548Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-7341 (GCVE-0-2024-7341)
Vulnerability from cvelistv5
Published
2024-09-09 18:51
Modified
2024-12-31 14:24
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE
Summary
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.
References
https://access.redhat.com/errata/RHSA-2024:6493vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6494vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6495vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6497vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6499vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6500vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6501vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6502vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:6503vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-7341vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2302064issue-tracking, x_refsource_REDHAT
Impacted products
Vendor Product Version
Version: 0   
Version: 23.0.0   
Version: 25.0.0   
Create a notification for this product.
   Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:22
 Create a notification for this product.
   Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:24
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22 Unaffected: 22.0.12-1   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22 Unaffected: 22-17   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 22 Unaffected: 22-20   < *
    cpe:/a:redhat:build_keycloak:22::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 24 Unaffected: 24.0.7-4   < *
    cpe:/a:redhat:build_keycloak:24::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 24 Unaffected: 24-16   < *
    cpe:/a:redhat:build_keycloak:24::el9
 Create a notification for this product.
   Red Hat Red Hat build of Keycloak 24 Unaffected: 24-16   < *
    cpe:/a:redhat:build_keycloak:24::el9
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7     cpe:/a:redhat:red_hat_single_sign_on:7.6
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 7 Unaffected: 0:18.0.16-1.redhat_00001.1.el7sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 8 Unaffected: 0:18.0.16-1.redhat_00001.1.el8sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
 Create a notification for this product.
   Red Hat Red Hat Single Sign-On 7.6 for RHEL 9 Unaffected: 0:18.0.16-1.redhat_00001.1.el9sso   < *
    cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
 Create a notification for this product.
   Red Hat RHEL-8 based Middleware Containers Unaffected: 7.6-52   < *
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
   Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-7341",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-09T19:59:06.075961Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-09T19:59:16.927Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/keycloak/keycloak",
          "defaultStatus": "unaffected",
          "packageName": "org.keycloak:keycloak-services",
          "versions": [
            {
              "lessThan": "22.0.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "24.0.7",
              "status": "affected",
              "version": "23.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "25.0.5",
              "status": "affected",
              "version": "25.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.keycloak/keycloak-services",
          "product": "Red Hat Build of Keycloak",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:24"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.keycloak/keycloak-services",
          "product": "Red Hat Build of Keycloak",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22.0.12-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22-17",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:22::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 22",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "22-20",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:24::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 24",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "24.0.7-4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:24::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 24",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "24-16",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:24::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 24",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "24-16",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.keycloak/keycloak-services",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 7",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.16-1.redhat_00001.1.el7sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.16-1.redhat_00001.1.el8sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso7-keycloak",
          "product": "Red Hat Single Sign-On 7.6 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:18.0.16-1.redhat_00001.1.el9sso",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rh-sso-7/sso76-openshift-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.6-52",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8"
          ],
          "defaultStatus": "affected",
          "packageName": "org.keycloak/keycloak-services",
          "product": "Red Hat JBoss Enterprise Application Platform 8",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2024-09-09T13:48:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-384",
              "description": "Session Fixation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-31T14:24:03.545Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2024:6493",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6493"
        },
        {
          "name": "RHSA-2024:6494",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6494"
        },
        {
          "name": "RHSA-2024:6495",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6495"
        },
        {
          "name": "RHSA-2024:6497",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6497"
        },
        {
          "name": "RHSA-2024:6499",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6499"
        },
        {
          "name": "RHSA-2024:6500",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6500"
        },
        {
          "name": "RHSA-2024:6501",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6501"
        },
        {
          "name": "RHSA-2024:6502",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6502"
        },
        {
          "name": "RHSA-2024:6503",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:6503"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-7341"
        },
        {
          "name": "RHBZ#2302064",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302064"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-07-31T15:02:21+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-09-09T13:48:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Wildfly-elytron: org.keycloak/keycloak-services: session fixation in elytron saml adapters",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_redhatCweChain": "CWE-384: Session Fixation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-7341",
    "datePublished": "2024-09-09T18:51:13.537Z",
    "dateReserved": "2024-07-31T15:13:22.220Z",
    "dateUpdated": "2024-12-31T14:24:03.545Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-1710 (GCVE-0-2020-1710)
Vulnerability from cvelistv5
Published
2020-09-16 14:28
Modified
2024-08-04 06:46
Severity ?
CWE
  • Improper Neutralization of CRLF Sequences in HTTP Headers
Summary
The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1793970x_refsource_MISC
Impacted products
Vendor Product Version
n/a JBoss Enterprise Application Platform Version: EAP 6.4.21
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T06:46:30.214Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "JBoss Enterprise Application Platform",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "EAP 6.4.21"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Improper Neutralization of CRLF Sequences in HTTP Headers",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-09-16T14:28:20",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-1710",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "JBoss Enterprise Application Platform",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "EAP 6.4.21"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Neutralization of CRLF Sequences in HTTP Headers"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-1710",
    "datePublished": "2020-09-16T14:28:20",
    "dateReserved": "2019-11-27T00:00:00",
    "dateUpdated": "2024-08-04T06:46:30.214Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-9514 (GCVE-0-2019-9514)
Vulnerability from cvelistv5
Published
2019-08-13 00:00
Modified
2024-08-04 21:54
Severity ?
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Summary
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
References
https://kb.cert.org/vuls/id/605641/third-party-advisory
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3Emailing-list
https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3Emailing-list
https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3Emailing-list
https://seclists.org/bugtraq/2019/Aug/24mailing-list
http://seclists.org/fulldisclosure/2019/Aug/16mailing-list
https://www.synology.com/security/advisory/Synology_SA_19_33
https://seclists.org/bugtraq/2019/Aug/31mailing-list
https://www.debian.org/security/2019/dsa-4503vendor-advisory
https://support.f5.com/csp/article/K01988340
http://www.openwall.com/lists/oss-security/2019/08/20/1mailing-list
https://security.netapp.com/advisory/ntap-20190823-0001/
https://security.netapp.com/advisory/ntap-20190823-0004/
https://security.netapp.com/advisory/ntap-20190823-0005/
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.htmlvendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/vendor-advisory
https://seclists.org/bugtraq/2019/Aug/43mailing-list
https://www.debian.org/security/2019/dsa-4508vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.htmlvendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.htmlvendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.htmlvendor-advisory
https://access.redhat.com/errata/RHSA-2019:2682vendor-advisory
https://www.debian.org/security/2019/dsa-4520vendor-advisory
https://access.redhat.com/errata/RHSA-2019:2726vendor-advisory
https://seclists.org/bugtraq/2019/Sep/18mailing-list
https://access.redhat.com/errata/RHSA-2019:2594vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.htmlvendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.htmlvendor-advisory
https://access.redhat.com/errata/RHSA-2019:2661vendor-advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10296
https://access.redhat.com/errata/RHSA-2019:2690vendor-advisory
https://access.redhat.com/errata/RHSA-2019:2766vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.htmlvendor-advisory
https://access.redhat.com/errata/RHSA-2019:2796vendor-advisory
https://access.redhat.com/errata/RHSA-2019:2861vendor-advisory
https://access.redhat.com/errata/RHSA-2019:2925vendor-advisory
https://access.redhat.com/errata/RHSA-2019:2939vendor-advisory
https://access.redhat.com/errata/RHSA-2019:2955vendor-advisory
https://access.redhat.com/errata/RHSA-2019:2966vendor-advisory
https://support.f5.com/csp/article/K01988340?utm_source=f5support&amp%3Butm_medium=RSS
https://access.redhat.com/errata/RHSA-2019:3131vendor-advisory
https://access.redhat.com/errata/RHSA-2019:2769vendor-advisory
https://access.redhat.com/errata/RHSA-2019:3245vendor-advisory
https://access.redhat.com/errata/RHSA-2019:3265vendor-advisory
https://access.redhat.com/errata/RHSA-2019:3892vendor-advisory
https://access.redhat.com/errata/RHSA-2019:3906vendor-advisory
https://access.redhat.com/errata/RHSA-2019:4018vendor-advisory
https://access.redhat.com/errata/RHSA-2019:4019vendor-advisory
https://access.redhat.com/errata/RHSA-2019:4021vendor-advisory
https://access.redhat.com/errata/RHSA-2019:4020vendor-advisory
https://access.redhat.com/errata/RHSA-2019:4045vendor-advisory
https://access.redhat.com/errata/RHSA-2019:4042vendor-advisory
https://access.redhat.com/errata/RHSA-2019:4040vendor-advisory
https://access.redhat.com/errata/RHSA-2019:4041vendor-advisory
https://access.redhat.com/errata/RHSA-2019:4269vendor-advisory
https://access.redhat.com/errata/RHSA-2019:4273vendor-advisory
https://access.redhat.com/errata/RHSA-2019:4352vendor-advisory
https://access.redhat.com/errata/RHSA-2020:0406vendor-advisory
https://access.redhat.com/errata/RHSA-2020:0727vendor-advisory
https://usn.ubuntu.com/4308-1/vendor-advisory
https://www.debian.org/security/2020/dsa-4669vendor-advisory
https://lists.debian.org/debian-lts-announce/2020/12/msg00011.htmlmailing-list
http://www.openwall.com/lists/oss-security/2023/10/18/8mailing-list
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T21:54:44.511Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "VU#605641",
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://kb.cert.org/vuls/id/605641/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
          },
          {
            "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
          },
          {
            "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
          },
          {
            "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
          },
          {
            "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Aug/24"
          },
          {
            "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
          },
          {
            "name": "20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Aug/31"
          },
          {
            "name": "DSA-4503",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4503"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.f5.com/csp/article/K01988340"
          },
          {
            "name": "[oss-security] 20190819 [ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2019/08/20/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190823-0001/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190823-0004/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
          },
          {
            "name": "openSUSE-SU-2019:2000",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html"
          },
          {
            "name": "FEDORA-2019-5a6a7bc12c",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
          },
          {
            "name": "FEDORA-2019-6a2980de56",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
          },
          {
            "name": "20190825 [SECURITY] [DSA 4508-1] h2o security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Aug/43"
          },
          {
            "name": "DSA-4508",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4508"
          },
          {
            "name": "openSUSE-SU-2019:2056",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html"
          },
          {
            "name": "openSUSE-SU-2019:2072",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html"
          },
          {
            "name": "FEDORA-2019-55d101a740",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/"
          },
          {
            "name": "FEDORA-2019-65db7ad6c7",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/"
          },
          {
            "name": "openSUSE-SU-2019:2085",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html"
          },
          {
            "name": "RHSA-2019:2682",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2682"
          },
          {
            "name": "DSA-4520",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4520"
          },
          {
            "name": "RHSA-2019:2726",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2726"
          },
          {
            "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Sep/18"
          },
          {
            "name": "RHSA-2019:2594",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2594"
          },
          {
            "name": "openSUSE-SU-2019:2114",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
          },
          {
            "name": "openSUSE-SU-2019:2115",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
          },
          {
            "name": "RHSA-2019:2661",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2661"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
          },
          {
            "name": "RHSA-2019:2690",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2690"
          },
          {
            "name": "RHSA-2019:2766",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2766"
          },
          {
            "name": "openSUSE-SU-2019:2130",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html"
          },
          {
            "name": "RHSA-2019:2796",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2796"
          },
          {
            "name": "RHSA-2019:2861",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2861"
          },
          {
            "name": "RHSA-2019:2925",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2925"
          },
          {
            "name": "RHSA-2019:2939",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2939"
          },
          {
            "name": "RHSA-2019:2955",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2955"
          },
          {
            "name": "RHSA-2019:2966",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2966"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.f5.com/csp/article/K01988340?utm_source=f5support\u0026amp%3Butm_medium=RSS"
          },
          {
            "name": "RHSA-2019:3131",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3131"
          },
          {
            "name": "RHSA-2019:2769",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2769"
          },
          {
            "name": "RHSA-2019:3245",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3245"
          },
          {
            "name": "RHSA-2019:3265",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3265"
          },
          {
            "name": "RHSA-2019:3892",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3892"
          },
          {
            "name": "RHSA-2019:3906",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3906"
          },
          {
            "name": "RHSA-2019:4018",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4018"
          },
          {
            "name": "RHSA-2019:4019",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4019"
          },
          {
            "name": "RHSA-2019:4021",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4021"
          },
          {
            "name": "RHSA-2019:4020",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4020"
          },
          {
            "name": "RHSA-2019:4045",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4045"
          },
          {
            "name": "RHSA-2019:4042",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4042"
          },
          {
            "name": "RHSA-2019:4040",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4040"
          },
          {
            "name": "RHSA-2019:4041",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4041"
          },
          {
            "name": "RHSA-2019:4269",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4269"
          },
          {
            "name": "RHSA-2019:4273",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4273"
          },
          {
            "name": "RHSA-2019:4352",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:4352"
          },
          {
            "name": "RHSA-2020:0406",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0406"
          },
          {
            "name": "RHSA-2020:0727",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2020:0727"
          },
          {
            "name": "USN-4308-1",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4308-1/"
          },
          {
            "name": "DSA-4669",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4669"
          },
          {
            "name": "[debian-lts-announce] 20201208 [SECURITY] [DLA 2485-1] golang-golang-x-net-dev security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00011.html"
          },
          {
            "name": "[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Thanks to Jonathan Looney of Netflix for reporting this vulnerability."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-19T02:06:30.169190",
        "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "shortName": "certcc"
      },
      "references": [
        {
          "name": "VU#605641",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://kb.cert.org/vuls/id/605641/"
        },
        {
          "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
        },
        {
          "name": "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
        },
        {
          "name": "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
        },
        {
          "name": "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
        },
        {
          "name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
          "tags": [
            "mailing-list"
          ],
          "url": "https://seclists.org/bugtraq/2019/Aug/24"
        },
        {
          "name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0",
          "tags": [
            "mailing-list"
          ],
          "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
        },
        {
          "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
        },
        {
          "name": "20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://seclists.org/bugtraq/2019/Aug/31"
        },
        {
          "name": "DSA-4503",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4503"
        },
        {
          "url": "https://support.f5.com/csp/article/K01988340"
        },
        {
          "name": "[oss-security] 20190819 [ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2019/08/20/1"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20190823-0001/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20190823-0004/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
        },
        {
          "name": "openSUSE-SU-2019:2000",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html"
        },
        {
          "name": "FEDORA-2019-5a6a7bc12c",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
        },
        {
          "name": "FEDORA-2019-6a2980de56",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
        },
        {
          "name": "20190825 [SECURITY] [DSA 4508-1] h2o security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://seclists.org/bugtraq/2019/Aug/43"
        },
        {
          "name": "DSA-4508",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4508"
        },
        {
          "name": "openSUSE-SU-2019:2056",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html"
        },
        {
          "name": "openSUSE-SU-2019:2072",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html"
        },
        {
          "name": "FEDORA-2019-55d101a740",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/"
        },
        {
          "name": "FEDORA-2019-65db7ad6c7",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/"
        },
        {
          "name": "openSUSE-SU-2019:2085",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html"
        },
        {
          "name": "RHSA-2019:2682",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2682"
        },
        {
          "name": "DSA-4520",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4520"
        },
        {
          "name": "RHSA-2019:2726",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2726"
        },
        {
          "name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://seclists.org/bugtraq/2019/Sep/18"
        },
        {
          "name": "RHSA-2019:2594",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2594"
        },
        {
          "name": "openSUSE-SU-2019:2114",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
        },
        {
          "name": "openSUSE-SU-2019:2115",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
        },
        {
          "name": "RHSA-2019:2661",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2661"
        },
        {
          "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
        },
        {
          "name": "RHSA-2019:2690",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2690"
        },
        {
          "name": "RHSA-2019:2766",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2766"
        },
        {
          "name": "openSUSE-SU-2019:2130",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html"
        },
        {
          "name": "RHSA-2019:2796",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2796"
        },
        {
          "name": "RHSA-2019:2861",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2861"
        },
        {
          "name": "RHSA-2019:2925",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2925"
        },
        {
          "name": "RHSA-2019:2939",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2939"
        },
        {
          "name": "RHSA-2019:2955",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2955"
        },
        {
          "name": "RHSA-2019:2966",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2966"
        },
        {
          "url": "https://support.f5.com/csp/article/K01988340?utm_source=f5support\u0026amp%3Butm_medium=RSS"
        },
        {
          "name": "RHSA-2019:3131",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3131"
        },
        {
          "name": "RHSA-2019:2769",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2769"
        },
        {
          "name": "RHSA-2019:3245",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3245"
        },
        {
          "name": "RHSA-2019:3265",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3265"
        },
        {
          "name": "RHSA-2019:3892",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3892"
        },
        {
          "name": "RHSA-2019:3906",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3906"
        },
        {
          "name": "RHSA-2019:4018",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4018"
        },
        {
          "name": "RHSA-2019:4019",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4019"
        },
        {
          "name": "RHSA-2019:4021",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4021"
        },
        {
          "name": "RHSA-2019:4020",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4020"
        },
        {
          "name": "RHSA-2019:4045",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4045"
        },
        {
          "name": "RHSA-2019:4042",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4042"
        },
        {
          "name": "RHSA-2019:4040",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4040"
        },
        {
          "name": "RHSA-2019:4041",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4041"
        },
        {
          "name": "RHSA-2019:4269",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4269"
        },
        {
          "name": "RHSA-2019:4273",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4273"
        },
        {
          "name": "RHSA-2019:4352",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:4352"
        },
        {
          "name": "RHSA-2020:0406",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0406"
        },
        {
          "name": "RHSA-2020:0727",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2020:0727"
        },
        {
          "name": "USN-4308-1",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://usn.ubuntu.com/4308-1/"
        },
        {
          "name": "DSA-4669",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4669"
        },
        {
          "name": "[debian-lts-announce] 20201208 [SECURITY] [DLA 2485-1] golang-golang-x-net-dev security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00011.html"
        },
        {
          "name": "[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service",
      "x_generator": {
        "engine": "Vulnogram 0.0.7"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
    "assignerShortName": "certcc",
    "cveId": "CVE-2019-9514",
    "datePublished": "2019-08-13T00:00:00",
    "dateReserved": "2019-03-01T00:00:00",
    "dateUpdated": "2024-08-04T21:54:44.511Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-3690 (GCVE-0-2021-3690)
Vulnerability from cvelistv5
Published
2022-08-23 15:50
Modified
2024-08-03 17:01
Severity ?
CWE
  • CWE-400 - - Uncontrolled Resource Consumption
Summary
A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.
References
https://issues.redhat.com/browse/UNDERTOW-1935x_refsource_MISC
https://bugzilla.redhat.com/show_bug.cgi?id=1991299x_refsource_MISC
https://access.redhat.com/security/cve/CVE-2021-3690x_refsource_MISC
https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877x_refsource_MISC
Impacted products
Vendor Product Version
n/a undertow Version: Fixed in 2.2.10.Final, 2.0.40.Final
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:01:08.307Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://issues.redhat.com/browse/UNDERTOW-1935"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991299"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2021-3690"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "undertow",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in 2.2.10.Final, 2.0.40.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 - Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-23T15:50:35",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://issues.redhat.com/browse/UNDERTOW-1935"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991299"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2021-3690"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-3690",
    "datePublished": "2022-08-23T15:50:35",
    "dateReserved": "2021-08-09T00:00:00",
    "dateUpdated": "2024-08-03T17:01:08.307Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-4361 (GCVE-0-2022-4361)
Vulnerability from cvelistv5
Published
2023-07-07 19:57
Modified
2024-11-12 19:43
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE
Summary
Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri.
References
https://bugzilla.redhat.com/show_bug.cgi?id=2151618
https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a
Impacted products
Vendor Product Version
keycloak keycloak Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:34:50.133Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2151618"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-4361",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-12T19:43:33.065184Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-12T19:43:42.651Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "keycloak",
          "vendor": "keycloak",
          "versions": [
            {
              "status": "unaffected",
              "version": "21.1.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri."
            }
          ],
          "value": "Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-81",
              "description": "CWE-81",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-07T19:57:44.567Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2151618"
        },
        {
          "url": "https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-4361",
    "datePublished": "2023-07-07T19:57:44.567Z",
    "dateReserved": "2022-12-08T11:04:48.560Z",
    "dateUpdated": "2024-11-12T19:43:42.651Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Vulnerability from fkie_nvd
Published
2022-08-26 16:15
Modified
2024-11-21 06:22
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.
References
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2021-3754Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1999196Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2021-3754Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1999196Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak -
redhat single_sign-on 7.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6E0DE4E1-5D8D-40F3-8AC8-C7F736966158",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password."
    },
    {
      "lang": "es",
      "value": "Se ha encontrado un fallo en keycloak por el que un atacante puede registrarse con el mismo nombre de usuario que el ID de correo electr\u00f3nico de cualquier usuario existente. Esto puede causar problemas a la hora de recibir el correo electr\u00f3nico de recuperaci\u00f3n de la contrase\u00f1a en caso de que el usuario la olvide."
    }
  ],
  "id": "CVE-2021-3754",
  "lastModified": "2024-11-21T06:22:20.783",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-08-26T16:15:09.520",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2021-3754"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999196"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2021-3754"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999196"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2023-09-25 20:15
Modified
2024-11-21 07:34
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:1043Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:1044Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:1045Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:1049Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2022-4137Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2148496Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:1043Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:1044Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:1045Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:1049Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2022-4137Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2148496Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak -
redhat single_sign-on 7.6
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6E0DE4E1-5D8D-40F3-8AC8-C7F736966158",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "2DEC61BC-E699-456E-99B6-C049F2A5F23F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A reflected cross-site scripting (XSS) vulnerability was found in the \u0027oob\u0027 OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una vulnerabilidad reflejada de scross-site scripting (XSS) en el endpoint de OAuth \u0027oob\u0027 debido a un manejo incorrecto de bytes nulos. Este problema permite que un enlace malicioso inserte un URI arbitrario en una p\u00e1gina de error de Keycloak. Esta falla requiere que un usuario o administrador interact\u00fae con un enlace para ser vulnerable. Esto puede comprometer los datos del usuario, permitiendo que un atacante los modifique o los recopile."
    }
  ],
  "id": "CVE-2022-4137",
  "lastModified": "2024-11-21T07:34:38.850",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-09-25T20:15:09.897",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:1043"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:1044"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:1045"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:1049"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2022-4137"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:1043"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:1044"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:1045"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:1049"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2022-4137"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-81"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2018-08-01 17:29
Modified
2024-11-21 03:42
Severity ?
5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2018:3592Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2018:3593Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2018:3595Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:0877Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10894Issue Tracking, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2018:3592Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2018:3593Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2018:3595Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:0877Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10894Issue Tracking, Patch, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak 3.4.3
redhat single_sign-on 7.2
redhat enterprise_linux 6.0
redhat enterprise_linux 7.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:3.4.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "3D602684-69EC-4051-AF5B-02595A16BEBA",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FABBE0BB-135A-458C-BD84-54C052FFDC57",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks."
    },
    {
      "lang": "es",
      "value": "Se ha descubierto que la autenticaci\u00f3n SAML en Keycloak 3.4.3.Final autenticaba incorrectamente los certificados caducados. Un usuario malicioso podr\u00eda aprovecharse de esto para acceder a datos no autorizados o, posiblemente, llevar a cabo m\u00e1s ataques."
    }
  ],
  "id": "CVE-2018-10894",
  "lastModified": "2024-11-21T03:42:14.650",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-08-01T17:29:00.347",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:3592"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:3593"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:3595"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:0877"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10894"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:3592"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:3593"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:3595"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:0877"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10894"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-345"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2020-09-16 15:15
Modified
2024-11-21 05:11
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1793970Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1793970Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat jboss_data_grid -
redhat jboss_data_grid 7.0.0
redhat jboss_enterprise_application_platform -
redhat jboss_enterprise_application_platform 6.4.21
redhat jboss_enterprise_application_platform 7.0.0
redhat jboss_enterprise_application_platform 7.2.0
redhat jboss_enterprise_application_platform 7.3.0
redhat openshift_application_runtimes -
redhat single_sign-on -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "2BF03A52-4068-47EA-8846-1E5FB708CE1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD354E32-A8B0-484C-B4C6-9FBCD3430D2D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.21:*:*:*:*:*:*:*",
              "matchCriteriaId": "5B9B368A-C894-4D7A-8E64-4B12DDE572E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0952BA1A-5DF9-400F-B01F-C3A398A8A2D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8B157A2D-3422-4224-82D9-15AB3B989075",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400."
    },
    {
      "lang": "es",
      "value": "El problema parece ser que JBoss EAP versi\u00f3n 6.4.21, no analiza el nombre de campo de acuerdo con RFC7230[1] ya que devuelve 200 en lugar de 400"
    }
  ],
  "id": "CVE-2020-1710",
  "lastModified": "2024-11-21T05:11:13.130",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-09-16T15:15:12.457",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793970"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2020-01-07 17:15
Modified
2024-11-21 04:27
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14837Exploit, Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777fPatch, Third Party Advisory
secalert@redhat.comhttps://issues.jboss.org/browse/KEYCLOAK-10780Issue Tracking, Permissions Required, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14837Exploit, Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777fPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://issues.jboss.org/browse/KEYCLOAK-10780Issue Tracking, Permissions Required, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak *
redhat single_sign-on 7.3


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "637DA24E-DD9D-4895-8335-7C6A2AB6472F",
              "versionEndExcluding": "8.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E939A0E0-3437-459E-9FAB-FE42811B1D32",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in keycloack before version 8.0.0. The owner of \u0027placeholder.org\u0027 domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name \u0027test\u0027 the email address will be \u0027service-account-test@placeholder.org\u0027."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un fallo en keycloack versiones anteriores a la versi\u00f3n  8.0.0. El propietario del dominio \"placeholder.org\" puede configurar el servidor de correo sobre este dominio y conociendo solo el nombre de un cliente puede restablecer la contrase\u00f1a y luego iniciar sesi\u00f3n. Por ejemplo, para el nombre del cliente \"prueba\", la direcci\u00f3n de correo electr\u00f3nico ser\u00e1 \"service-account-test@placeholder.org\"."
    }
  ],
  "id": "CVE-2019-14837",
  "lastModified": "2024-11-21T04:27:28.110",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 6.4,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-01-07T17:15:11.033",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14837"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://issues.jboss.org/browse/KEYCLOAK-10780"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14837"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://issues.jboss.org/browse/KEYCLOAK-10780"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-547"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2021-02-11 18:15
Modified
2024-11-21 05:11
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Summary
A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1796281Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://issues.jboss.org/browse/KEYCLOAK-12014Issue Tracking, Permissions Required, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1796281Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://issues.jboss.org/browse/KEYCLOAK-12014Issue Tracking, Permissions Required, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak 7.0.1
redhat jboss_fuse 7.0.0
redhat openshift_application_runtimes -
redhat single_sign-on 7.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:7.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "81B631C5-DBD4-4055-ADF3-4B2FECACE04F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un fallo en Keycloak versi\u00f3n 7.0.1.\u0026#xa0;Un usuario que haya iniciado sesi\u00f3n puede llevar a cabo un ataque de enumeraci\u00f3n de correo electr\u00f3nico de la cuenta"
    }
  ],
  "id": "CVE-2020-1717",
  "lastModified": "2024-11-21T05:11:13.880",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 2.7,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-02-11T18:15:14.317",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796281"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://issues.jboss.org/browse/KEYCLOAK-12014"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796281"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://issues.jboss.org/browse/KEYCLOAK-12014"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-209"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-209"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2023-02-23 20:15
Modified
2025-03-12 15:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
References
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2022-4492Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2153260Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20230324-0002/
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2022-4492Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2153260Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20230324-0002/
Impacted products
Vendor Product Version
redhat build_of_quarkus -
redhat integration_camel_for_spring_boot -
redhat integration_camel_k -
redhat integration_service_registry -
redhat jboss_enterprise_application_platform 7.0.0
redhat jboss_fuse 7.0.0
redhat migration_toolkit_for_applications 6.0
redhat migration_toolkit_for_runtimes -
redhat single_sign-on 7.0
redhat undertow 2.7.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "CE29B9D6-63DC-4779-ACE8-4E51E6A0AF37",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:integration_camel_for_spring_boot:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "78698F40-0777-4990-822D-02E1B5D0E2C0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B87C8AD3-8878-4546-86C2-BF411876648C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:integration_service_registry:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF03BDE8-602D-4DEE-BA5B-5B20FDF47741",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:migration_toolkit_for_applications:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3C2E7E3C-A507-4AB2-97E5-4944D8775CF7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:migration_toolkit_for_runtimes:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F979A5E3-7FFB-45F1-9847-FFBAF0B12067",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E0FA5F7F-CCE8-4DF0-8F9D-516F72C30A45",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol."
    }
  ],
  "id": "CVE-2022-4492",
  "lastModified": "2025-03-12T15:15:38.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-02-23T20:15:12.680",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2022-4492"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://security.netapp.com/advisory/ntap-20230324-0002/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2022-4492"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20230324-0002/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2020-01-08 15:15
Modified
2024-11-21 04:27
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14820Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14820Issue Tracking, Patch, Third Party Advisory
Impacted products
Vendor Product Version
redhat keycloak *
redhat single_sign-on 7.3
redhat jboss_enterprise_application_platform 6.4.0
redhat jboss_enterprise_application_platform 7.2.0
redhat jboss_fuse 7.0.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "637DA24E-DD9D-4895-8335-7C6A2AB6472F",
              "versionEndExcluding": "8.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E939A0E0-3437-459E-9FAB-FE42811B1D32",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B1ABA871-3271-48E2-A69C-5AD70AF94E53",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0952BA1A-5DF9-400F-B01F-C3A398A8A2D4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 que keycloak versiones anteriores la versi\u00f3n 8.0.0, expone los endpoints del adaptador interno en org.keycloak.constants.AdapterConstants, que pueden ser invocadas por medio de una URL especialmente dise\u00f1ada. Esta vulnerabilidad podr\u00eda permitir a un atacante acceder a informaci\u00f3n no autorizada."
    }
  ],
  "id": "CVE-2019-14820",
  "lastModified": "2024-11-21T04:27:25.867",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-01-08T15:15:11.260",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14820"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14820"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2021-02-11 18:15
Modified
2024-11-21 04:55
Severity ?
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1831662Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://issues.redhat.com/browse/KEYCLOAK-13653Permissions Required, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1831662Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://issues.redhat.com/browse/KEYCLOAK-13653Permissions Required, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak -
redhat jboss_fuse 7.0.0
redhat openshift_application_runtimes -
redhat single_sign-on 7.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6E0DE4E1-5D8D-40F3-8AC8-C7F736966158",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una vulnerabilidad en keycloak en la forma en que el endpoint de cierre de sesi\u00f3n OIDC no tiene protecci\u00f3n CSRF.\u0026#xa0;Se cree que las versiones enviadas con Red Hat Fuse 7, Red Hat Single Sign-on 7 y Red Hat Openshift Application Runtimes son vulnerables"
    }
  ],
  "id": "CVE-2020-10734",
  "lastModified": "2024-11-21T04:55:57.587",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 2.1,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "LOW",
          "baseScore": 3.3,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-02-11T18:15:13.927",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831662"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://issues.redhat.com/browse/KEYCLOAK-13653"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831662"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://issues.redhat.com/browse/KEYCLOAK-13653"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2022-04-26 19:15
Modified
2024-11-21 06:40
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2050228Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txtExploit, Third Party Advisory
secalert@redhat.comhttps://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2050228Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txtExploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076Exploit, Third Party Advisory
Impacted products
Vendor Product Version
redhat keycloak *
redhat single_sign-on 7.5.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F41C7F06-3969-4330-A122-82392E25471F",
              "versionEndExcluding": "17.0.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A69E9AB7-AC48-4448-BE34-68AC0AA0CD46",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted."
    },
    {
      "lang": "es",
      "value": "Debido a una autorizaci\u00f3n inapropiada, Red Hat Single Sign-On es vulnerable a que usuarios lleven a cabo acciones que no deber\u00edan estar autorizados a realizar. Era posible a\u00f1adir usuarios al reino maestro aunque no sea concedido el permiso correspondiente"
    }
  ],
  "id": "CVE-2022-1466",
  "lastModified": "2024-11-21T06:40:46.697",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-04-26T19:15:49.660",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2050228"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2050228"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2024-08-21 14:15
Modified
2024-12-12 22:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:11023
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6508
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6883
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:7441
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:7442
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:7735
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:7736
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2024-7885Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2305290Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20241011-0004/
Impacted products
Vendor Product Version
redhat build_of_apache_camel_-_hawtio -
redhat build_of_apache_camel_for_spring_boot -
redhat build_of_keycloak -
redhat data_grid 8.0.0
redhat integration_camel_k -
redhat jboss_enterprise_application_platform 7.0.0
redhat jboss_enterprise_application_platform 8.0.0
redhat jboss_fuse 7.0.0
redhat process_automation 7.0
redhat single_sign-on 7.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:build_of_apache_camel_-_hawtio:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4B1DC0F4-BF84-4399-9487-DEF10CEC3D97",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:build_of_apache_camel_for_spring_boot:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "EDE67672-8894-448B-84B5-3CD3610A8117",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "824BB506-D01A-4C88-AD4A-3C94A2409CD2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:data_grid:8.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3311F2A9-C028-4765-BF79-BC370D15550C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B87C8AD3-8878-4546-86C2-BF411876648C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0D8BC03A-4198-4488-946B-3F6B43962942",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "20A6B40D-F991-4712-8E30-5FE008505CB7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una vulnerabilidad en Undertow donde ProxyProtocolReadListener reutiliza la misma instancia de StringBuilder en m\u00faltiples solicitudes. Este problema ocurre cuando el m\u00e9todo parseProxyProtocolV1 procesa m\u00faltiples solicitudes en la misma conexi\u00f3n HTTP. Como resultado, diferentes solicitudes pueden compartir la misma instancia de StringBuilder, lo que podr\u00eda provocar una fuga de informaci\u00f3n entre solicitudes o respuestas. En algunos casos, un valor de una solicitud o respuesta anterior puede reutilizarse por error, lo que podr\u00eda provocar una exposici\u00f3n no deseada de los datos. Este problema produce principalmente errores y terminaci\u00f3n de la conexi\u00f3n, pero crea un riesgo de fuga de datos en entornos de solicitudes m\u00faltiples."
    }
  ],
  "id": "CVE-2024-7885",
  "lastModified": "2024-12-12T22:15:08.717",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-08-21T14:15:09.500",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:11023"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:6508"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:6883"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:7441"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:7442"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:7735"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:7736"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2024-7885"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20241011-0004/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-362"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2019-11-25 11:15
Modified
2024-11-21 04:18
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2020:0481Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2020:0727Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20220210-0018/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0481Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0727Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20220210-0018/Third Party Advisory
Impacted products
Vendor Product Version
infinispan infinispan *
infinispan infinispan *
redhat fuse 1.0
redhat jboss_data_grid -
redhat jboss_enterprise_application_platform -
redhat openshift_application_runtimes -
redhat single_sign-on -
redhat jboss_enterprise_application_platform 7.2
redhat enterprise_linux 6.0
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EC18B2E6-CC6C-4CA3-9947-C18197CA22C5",
              "versionEndExcluding": "8.2.12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D776F69C-45D9-4CE6-94AB-1E13AB796677",
              "versionEndExcluding": "9.4.17",
              "versionStartIncluding": "9.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "077732DB-F5F3-4E9C-9AC0-8142AB85B32F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "2BF03A52-4068-47EA-8846-1E5FB708CE1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "ADB40F59-CAAE-47D6-850C-12619D8D5B34",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
              "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
              "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
              "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan\u0027s privileges. The attacker can use reflection to introduce new, malicious behavior into the application."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una vulnerabilidad en Infinispan, de modo que el m\u00e9todo invokeAccessibly de la clase p\u00fablica ReflectionUtil permite que cualquier clase de aplicaci\u00f3n invoque m\u00e9todos privados en cualquier clase con los privilegios de Infinispan. El atacante puede usar la reflexi\u00f3n para introducir un nuevo comportamiento malicioso en la aplicaci\u00f3n."
    }
  ],
  "id": "CVE-2019-10174",
  "lastModified": "2024-11-21T04:18:34.940",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.9,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-11-25T11:15:10.823",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0481"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0727"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220210-0018/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0481"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0727"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220210-0018/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-470"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-470"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2021-05-28 11:15
Modified
2024-11-21 05:21
Severity ?
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1905089Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1905089Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak *
redhat single_sign-on -
redhat single_sign-on 7.4
redhat single_sign-on 7.4.4


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "859EC983-D6F0-42B2-A6B0-B3887FE4CC00",
              "versionEndExcluding": "12.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "F62A7110-16D5-4633-A521-9CECD267773B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.4.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "1381D570-D7C3-4B89-B52A-5948ED624124",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user\u0027s metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un fallo en Keycloak versiones anteriores a 12.0.0, donde es posible actualizar los atributos de metadatos del usuario usando la API REST de la cuenta.\u0026#xa0;Este fallo permite a un atacante cambiar su propio atributo NameID para hacerse pasar por el usuario administrador de cualquier aplicaci\u00f3n en particular"
    }
  ],
  "id": "CVE-2020-27826",
  "lastModified": "2024-11-21T05:21:53.147",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.9,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.2,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-05-28T11:15:07.670",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1905089"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1905089"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-250"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2023-03-27 22:15
Modified
2025-02-24 20:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2097007Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2097007Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak_node.js_adapter -
redhat single_sign-on 7.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak_node.js_adapter:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D7F0D638-83CE-4F73-B98E-87A36A73F1C4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function."
    }
  ],
  "id": "CVE-2022-2237",
  "lastModified": "2025-02-24T20:15:31.973",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2023-03-27T22:15:11.817",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2022-09-01 21:15
Modified
2024-11-21 07:01
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Summary
A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2117506Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20221014-0006/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2117506Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20221014-0006/Third Party Advisory
Impacted products
Vendor Product Version
redhat integration_camel_k -
redhat jboss_enterprise_application_platform 7.0.0
redhat jboss_fuse 7.0.0
redhat single_sign-on 7.0
redhat undertow *
redhat undertow 2.3.0
redhat undertow 2.3.0
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp oncommand_insight -
netapp oncommand_workflow_automation -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B87C8AD3-8878-4546-86C2-BF411876648C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB97356C-3998-431D-892D-F97E2DD8E18D",
              "versionEndIncluding": "2.2.19",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.3.0:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "F6DD3DE4-9C5D-4768-9414-C63D1D172B7F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.3.0:alpha2:*:*:*:*:*:*",
              "matchCriteriaId": "733DA120-19EF-45C2-96C0-C9367DF6EE28",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
              "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
              "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
              "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0F202E8-97E6-4BBB-A0B6-4CA3F5803C08",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations."
    },
    {
      "lang": "es",
      "value": "Se ha encontrado un fallo en Undertow. Puede producirse una denegaci\u00f3n de servicio ya que el servidor de Undertow espera eternamente el LAST_CHUNK para las invocaciones EJB"
    }
  ],
  "id": "CVE-2022-2764",
  "lastModified": "2024-11-21T07:01:39.693",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 4.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-09-01T21:15:09.807",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20221014-0006/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20221014-0006/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2023-09-20 15:15
Modified
2024-11-21 07:20
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2022:8961Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2022:8962Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2022:8963Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2022:8964Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2022:8965Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:1043Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:1044Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:1045Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:1047Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:1049Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2022-3916Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2141404Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2022:8961Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2022:8962Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2022:8963Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2022:8964Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2022:8965Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:1043Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:1044Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:1045Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:1047Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:1049Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2022-3916Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2141404Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak *
redhat single_sign-on -
redhat single_sign-on 7.6
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
redhat openshift_container_platform 4.9
redhat openshift_container_platform 4.10
redhat openshift_container_platform_for_linuxone 4.9
redhat openshift_container_platform_for_linuxone 4.10
redhat openshift_container_platform_for_power 4.9
redhat openshift_container_platform_for_power 4.10
redhat openshift_container_platform_ibm_z_systems 4.9
redhat openshift_container_platform_ibm_z_systems 4.10
redhat enterprise_linux 8.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "53DA67A0-2E85-499E-B8E1-2B12C433BC29",
              "versionEndExcluding": "20.0.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "2DEC61BC-E699-456E-99B6-C049F2A5F23F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "81609549-25CE-4C8A-9DE3-170D23704208",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "0595C9F8-9C7A-4FC1-B7EE-52978A1B1E93",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "B02036DD-4489-480B-B7D4-4EB08952377B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7E78C55-45B6-4E01-9773-D3468F8EA9C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "30E2CF79-2D56-48AB-952E-5DDAFE471073",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "54E24055-813B-4E6D-94B7-FAD5F78B8537",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC262C4C-7B6A-4117-A50F-1FF69296DDD8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "E58526FB-522F-4AAC-B03C-9CAB443D0CFF",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una falla en el alcance offline_access en Keycloak. Este problema afectar\u00eda m\u00e1s a los usuarios de ordenadores compartidos (especialmente si las cookies no se borran), debido a la falta de validaci\u00f3n de la sesi\u00f3n root y a la reutilizaci\u00f3n de los identificadores de sesi\u00f3n en las sesiones de autenticaci\u00f3n de usuario y root. Esto permite a un atacante resolver una sesi\u00f3n de usuario adjunta a un usuario previamente autenticado; al utilizar el token de actualizaci\u00f3n, se les emitir\u00e1 un token para el usuario original."
    }
  ],
  "id": "CVE-2022-3916",
  "lastModified": "2024-11-21T07:20:31.480",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.2,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-09-20T15:15:11.583",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2022:8961"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2022:8962"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2022:8963"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2022:8964"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2022:8965"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:1043"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:1044"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:1045"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:1047"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:1049"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2022-3916"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2022:8961"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2022:8962"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2022:8963"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2022:8964"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2022:8965"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:1043"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:1044"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:1045"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:1047"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:1049"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2022-3916"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-384"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-613"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2020-01-23 17:15
Modified
2024-11-21 04:27
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2020:0729Third Party Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14888Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20220211-0001/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0729Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14888Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20220211-0001/Third Party Advisory
Impacted products
Vendor Product Version
redhat undertow *
redhat jboss_data_grid -
redhat jboss_data_grid 7.0.0
redhat jboss_enterprise_application_platform 7.0.0
redhat jboss_fuse 6.0.0
redhat jboss_fuse 7.0.0
redhat single_sign-on 7.0
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "15A116E1-B5F3-4897-BD1B-59419E7A09C3",
              "versionEndIncluding": "2.0.28",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "2BF03A52-4068-47EA-8846-1E5FB708CE1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD354E32-A8B0-484C-B4C6-9FBCD3430D2D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A305F012-544E-4245-9D69-1C8CD37748B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
              "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
              "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
              "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL."
    },
    {
      "lang": "es",
      "value": "Se detect\u00f3 una vulnerabilidad en el servidor HTTP Undertow en versiones anteriores a 2.0.28.SP1, al escuchar sobre HTTPS. Un atacante puede apuntar al puerto HTTPS para llevar a cabo una Denegaci\u00f3n de Servicio (DOS) para hacer que el servicio no est\u00e9 disponible en SSL."
    }
  ],
  "id": "CVE-2019-14888",
  "lastModified": "2024-11-21T04:27:36.977",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-01-23T17:15:11.767",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0729"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14888"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220211-0001/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0729"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14888"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220211-0001/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2023-12-12 22:15
Modified
2025-06-25 01:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This issue could allow a malicious user could to repeatedly send requests that exceed the max-header-size, causing a Denial of Service (DoS).
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:4509Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:9582
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:9583
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2023-5379Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2242099Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:4509Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2023-5379Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2242099Issue Tracking
Impacted products
Vendor Product Version
redhat jboss_enterprise_application_platform -
redhat jboss_enterprise_application_platform 7.0.0
redhat single_sign-on 7.0
redhat undertow -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "8190B427-8350-43AE-8F54-6A40B701C95E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This issue could allow a malicious user could to repeatedly send requests that exceed the max-header-size, causing a Denial of Service (DoS)."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una falla en Undertow. Cuando se env\u00eda una solicitud AJP que excede el atributo max-header-size en ajp-listener, mod_cluster marca JBoss EAP en estado de error en httpd, lo que hace que JBoss EAP cierre la conexi\u00f3n TCP sin devolver una respuesta AJP. Esto sucede porque mod_proxy_cluster marca la instancia de JBoss EAP como un trabajador de error cuando la conexi\u00f3n TCP se cierra desde el backend despu\u00e9s de enviar la solicitud AJP sin recibir una respuesta AJP y deja de reenviar. Este problema podr\u00eda permitir que un usuario malintencionado env\u00ede repetidamente solicitudes que superen el tama\u00f1o m\u00e1ximo del encabezado, provocando una Denegaci\u00f3n de Servicio (DoS)."
    }
  ],
  "id": "CVE-2023-5379",
  "lastModified": "2025-06-25T01:15:22.283",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-12-12T22:15:22.410",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4509"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:9582"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:9583"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-5379"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242099"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4509"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-5379"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242099"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2019-03-21 16:00
Modified
2024-11-21 03:44
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
References
cve@mitre.orghttp://www.securityfocus.com/bid/107585Third Party Advisory, VDB Entry
cve@mitre.orghttps://access.redhat.com/errata/RHBA-2019:0959Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:0782Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:0877Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:1106Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:1107Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:1108Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:1140Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:1782Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:1797Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:1822Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:1823Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:2804Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:2858Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:3002Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:3140Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:3149Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:3892Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:4037Third Party Advisory
cve@mitre.orghttps://bugzilla.redhat.com/show_bug.cgi?id=1671098Issue Tracking, Third Party Advisory
cve@mitre.orghttps://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226aPatch, Third Party Advisory
cve@mitre.orghttps://github.com/FasterXML/jackson-databind/issues/2052Patch, Third Party Advisory
cve@mitre.orghttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d%40%3Cissues.lucene.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/
cve@mitre.orghttps://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
cve@mitre.orghttps://seclists.org/bugtraq/2019/May/68Mailing List, Third Party Advisory
cve@mitre.orghttps://security.netapp.com/advisory/ntap-20190530-0003/Third Party Advisory
cve@mitre.orghttps://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdfTechnical Description, Third Party Advisory
cve@mitre.orghttps://www.debian.org/security/2019/dsa-4452Third Party Advisory
cve@mitre.orghttps://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory
cve@mitre.orghttps://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
cve@mitre.orghttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
cve@mitre.orghttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/107585Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHBA-2019:0959Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:0782Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:0877Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:1106Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:1107Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:1108Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:1140Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:1782Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:1797Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:1822Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:1823Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2804Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2858Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3002Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3140Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3149Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3892Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4037Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1671098Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226aPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/FasterXML/jackson-databind/issues/2052Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d%40%3Cissues.lucene.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/
af854a3a-2127-422b-91ae-364da2661108https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
af854a3a-2127-422b-91ae-364da2661108https://seclists.org/bugtraq/2019/May/68Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20190530-0003/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdfTechnical Description, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2019/dsa-4452Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
Impacted products
Vendor Product Version
fasterxml jackson-databind *
fasterxml jackson-databind *
fasterxml jackson-databind *
fasterxml jackson-databind *
debian debian_linux 9.0
fedoraproject fedora 29
oracle jd_edwards_enterpriseone_tools 9.2
oracle retail_merchandising_system 15.0
redhat automation_manager 7.3.1
redhat decision_manager 7.3.1
redhat jboss_brms 6.4.10
redhat jboss_enterprise_application_platform 7.2.0
redhat openshift_container_platform 3.11
redhat single_sign-on 7.3


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7036DA13-110D-40B3-8494-E361BBF4AFCD",
              "versionEndExcluding": "2.6.7.3",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "44F16CE8-7CAD-4846-A38E-8192D56AB09B",
              "versionEndExcluding": "2.7.9.4",
              "versionStartIncluding": "2.7.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "02EA57F3-507D-4E70-BA77-D235A59C2800",
              "versionEndExcluding": "2.8.11.2",
              "versionStartIncluding": "2.8.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "429C17F2-AB58-4BC0-8EB0-AF3322DDD528",
              "versionEndExcluding": "2.9.6",
              "versionStartIncluding": "2.9.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*",
              "matchCriteriaId": "D100F7CE-FC64-4CC6-852A-6136D72DA419",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "41684398-18A4-4DC6-B8A2-3EBAA0CBF9A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_merchandising_system:15.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "792DF04A-2D1B-40B5-B960-3E7152732EB8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:automation_manager:7.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D44D4F38-4028-4EAA-895C-1E2816FB36EA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:decision_manager:7.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5CD928F-C9BA-443F-A46D-4FE7756D936B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_brms:6.4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "88C5E02F-C70E-41F4-B146-40C88439017A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0952BA1A-5DF9-400F-B01F-C3A398A8A2D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F87326E-0B56-4356-A889-73D026DB1D4B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E939A0E0-3437-459E-9FAB-FE42811B1D32",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload."
    },
    {
      "lang": "es",
      "value": "Se ha descubierto un problema en FasterXML jackson-databind, en versiones anteriores a la 2.7.9.4, 2.8.11.2 y 2.9.6. Cuando \"Default Typing\" est\u00e1 habilitado (globalmente o para una propiedad en concreto), el servicio cuenta con el jar Jodd-db (para acceso a la base de datos del framework Jodd) en la ruta de clase; un atacante puede proporcionar un servicio LDAP para acceder y es posible hacer que el servicio ejecute una carga \u00fatil maliciosa."
    }
  ],
  "id": "CVE-2018-12022",
  "lastModified": "2024-11-21T03:44:25.870",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.1,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 4.9,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-03-21T16:00:12.310",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/107585"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHBA-2019:0959"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:0782"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:0877"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1106"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1107"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1108"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1140"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1782"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1797"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1822"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1823"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2804"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2858"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3002"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3140"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3149"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3892"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4037"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671098"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/FasterXML/jackson-databind/issues/2052"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d%40%3Cissues.lucene.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/May/68"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20190530-0003/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Technical Description",
        "Third Party Advisory"
      ],
      "url": "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2019/dsa-4452"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/107585"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHBA-2019:0959"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:0782"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:0877"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1106"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1107"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1108"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1140"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1782"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1797"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1822"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1823"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2804"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2858"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3002"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3140"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3149"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3892"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4037"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671098"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/FasterXML/jackson-databind/issues/2052"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d%40%3Cissues.lucene.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/May/68"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20190530-0003/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Technical Description",
        "Third Party Advisory"
      ],
      "url": "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2019/dsa-4452"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2020-05-26 16:15
Modified
2024-11-21 04:55
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20220210-0014/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20220210-0014/Third Party Advisory
Impacted products
Vendor Product Version
redhat undertow *
netapp oncommand_insight *
redhat fuse 1.0
redhat jboss_enterprise_application_platform -
redhat openshift_application_runtimes -
redhat single_sign-on -
redhat jboss_enterprise_application_platform 7.3
redhat jboss_enterprise_application_platform 7.4
redhat enterprise_linux 8.0
redhat jboss_enterprise_application_platform 7.3
redhat jboss_enterprise_application_platform 7.4
redhat enterprise_linux 7.0
redhat jboss_enterprise_application_platform 7.3
redhat enterprise_linux 6.0
redhat jboss_enterprise_application_platform 7.2
redhat enterprise_linux 8.0
redhat jboss_enterprise_application_platform 7.2
redhat enterprise_linux 7.0
redhat jboss_enterprise_application_platform 7.2
redhat enterprise_linux 6.0
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp oncommand_workflow_automation -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "442A396E-2B33-4054-9917-A6041ECCD9D0",
              "versionEndExcluding": "2.1.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_insight:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DED090C2-2AB7-413E-8F55-75EF394AA36A",
              "versionEndExcluding": "7.3.13",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "077732DB-F5F3-4E9C-9AC0-8142AB85B32F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "ADB40F59-CAAE-47D6-850C-12619D8D5B34",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "645A908C-18C2-4AB1-ACE7-3969E3A552A5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "645A908C-18C2-4AB1-ACE7-3969E3A552A5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
              "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
              "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
              "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling."
    },
    {
      "lang": "es",
      "value": "Se detect\u00f3 un fallo en Undertow en versiones anteriores a 2.1.1.Final, con respecto al procesamiento de peticiones HTTP no v\u00e1lidas con tama\u00f1os de fragmentos grandes. Este fallo permite a un atacante tomar ventaja del tr\u00e1fico no autorizado de peticiones HTTP."
    }
  ],
  "id": "CVE-2020-10719",
  "lastModified": "2024-11-21T04:55:55.363",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 6.4,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-05-26T16:15:12.180",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220210-0014/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220210-0014/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-444"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-444"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2019-06-12 14:29
Modified
2024-11-21 04:18
Severity ?
4.7 (Medium) - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
5.5 (Medium) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely.
References
secalert@redhat.comhttp://www.securityfocus.com/bid/108734Third Party Advisory, VDB Entry
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10157Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/108734Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10157Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak *
redhat single_sign-on *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A5894EFD-35C9-43E9-B3EE-58709019135F",
              "versionEndExcluding": "4.8.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2C31CCB1-8234-47D6-9134-F0916AF16F79",
              "versionEndExcluding": "7.3.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "It was found that Keycloak\u0027s Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 que el adaptador Node.js de Keycloak antes de la versi\u00f3n 4.8.3 no verific\u00f3 correctamente el token web recibido del servidor en su cierre de sesi\u00f3n de backchannel. Un atacante con acceso local podr\u00eda usar esto para construir un token web malicioso que establezca un par\u00e1metro NBF que podr\u00eda impedir el acceso de los usuarios de forma indefinida."
    }
  ],
  "id": "CVE-2019-10157",
  "lastModified": "2024-11-21T04:18:32.310",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 2.1,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 4.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 3.6,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-06-12T14:29:02.963",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/108734"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10157"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/108734"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10157"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-345"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2023-10-04 11:15
Modified
2024-11-21 07:58
Severity ?
5.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Summary
A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:3883Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:3884Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:3885Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:3888Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:3892Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2023-2422Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2191668Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:3883Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:3884Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:3885Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:3888Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:3892Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2023-2422Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2191668Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak -
redhat openshift_container_platform 4.9
redhat openshift_container_platform 4.10
redhat openshift_container_platform 4.11
redhat openshift_container_platform 4.12
redhat single_sign-on 7.6
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6E0DE4E1-5D8D-40F3-8AC8-C7F736966158",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "81609549-25CE-4C8A-9DE3-170D23704208",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "0595C9F8-9C7A-4FC1-B7EE-52978A1B1E93",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA983F8C-3A06-450A-AEFF-9429DE9A3454",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "40449571-22F8-44FA-B57B-B43F71AB25E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "2DEC61BC-E699-456E-99B6-C049F2A5F23F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una falla en Keycloak. Un servidor Keycloak configurado para admitir la autenticaci\u00f3n mTLS para clientes OAuth/OpenID no verifica correctamente la cadena de certificados del cliente. Un cliente que posee un certificado adecuado puede autorizarse como cualquier otro cliente, por tanto, acceder a datos que pertenecen a otros clientes."
    }
  ],
  "id": "CVE-2023-2422",
  "lastModified": "2024-11-21T07:58:35.333",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 4.2,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-10-04T11:15:10.157",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3883"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3884"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3885"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3888"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3892"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-2422"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2191668"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3883"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3884"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3885"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3888"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3892"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-2422"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2191668"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2019-06-12 14:29
Modified
2024-11-21 04:42
Severity ?
5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-site scripting and obtain unauthorized information or conduct further attacks.
References
secalert@redhat.comhttp://www.securityfocus.com/bid/108732Third Party Advisory, VDB Entry
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3872Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/108732Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3872Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat jboss_enterprise_application_platform 7.2.0
redhat enterprise_linux 6.0
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat single_sign-on 7.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0952BA1A-5DF9-400F-B01F-C3A398A8A2D4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-site scripting and obtain unauthorized information or conduct further attacks."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 que  un SAMLRequest que conten\u00eda un script pod\u00eda ser procesado por versiones de Picketlink enviadas en Jboss Application Platform 7.2.xy 7.1.x. Un atacante podr\u00eda usar esto para enviar un script malicioso para lograr scripts entre sitios y obtener informaci\u00f3n no autorizada o lleva  cabo de m\u00e1s ataques."
    }
  ],
  "id": "CVE-2019-3872",
  "lastModified": "2024-11-21T04:42:46.010",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-06-12T14:29:04.667",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/108732"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3872"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/108732"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3872"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2022-08-23 16:15
Modified
2024-11-21 06:22
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity.
References
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2021-3827Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2007512Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0dPatch, Third Party Advisory
secalert@redhat.comhttps://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3vThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2021-3827Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2007512Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0dPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3vThird Party Advisory
Impacted products
Vendor Product Version
redhat keycloak *
redhat single_sign-on 7.0
redhat single_sign-on 7.5.0
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat openshift_container_platform 4.8
redhat openshift_container_platform 4.9
redhat enterprise_linux 8.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EC308493-1A81-4D85-B568-ECAA9AE15A82",
              "versionEndExcluding": "18.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A69E9AB7-AC48-4448-BE34-68AC0AA0CD46",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:-:*:*:*",
              "matchCriteriaId": "053C1B35-3869-41C2-9551-044182DE0A64",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "91B493F0-5542-49F7-AAAE-E6CA6E468D7B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "81609549-25CE-4C8A-9DE3-170D23704208",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user\u0027s credentials. The highest threat from this vulnerability is to confidentiality and integrity."
    },
    {
      "lang": "es",
      "value": "Se ha encontrado un fallo en keycloak, en el que el flujo de vinculaci\u00f3n ECP por defecto permite omitir otros flujos de autenticaci\u00f3n. Al explotar este comportamiento, un atacante puede omitir la autenticaci\u00f3n MFA mediante el env\u00edo de una petici\u00f3n SOAP con un encabezado AuthnRequest y Authorization con las credenciales del usuario. La mayor amenaza de esta vulnerabilidad es para la confidencialidad y la integridad."
    }
  ],
  "id": "CVE-2021-3827",
  "lastModified": "2024-11-21T06:22:33.163",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-08-23T16:15:10.030",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2021-3827"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007512"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0d"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2021-3827"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007512"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0d"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2020-10-06 14:15
Modified
2024-11-21 05:18
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1885485Issue Tracking, Patch, Vendor Advisory
secalert@redhat.comhttps://github.com/wildfly-security/wildfly-openssl-natives/pull/4/filesPatch, Third Party Advisory
secalert@redhat.comhttps://issues.redhat.com/browse/WFSSL-51Permissions Required, Vendor Advisory
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20201016-0004/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1885485Issue Tracking, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/wildfly-security/wildfly-openssl-natives/pull/4/filesPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://issues.redhat.com/browse/WFSSL-51Permissions Required, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20201016-0004/Third Party Advisory
Impacted products
Vendor Product Version
redhat wildfly_openssl *
redhat data_grid 8.0
redhat jboss_data_grid 7.0.0
redhat jboss_enterprise_application_platform 7.0.0
redhat jboss_fuse 7.0.0
redhat openshift_application_runtimes -
redhat single_sign-on 7.0
netapp oncommand_insight -
netapp oncommand_workflow_automation -
netapp service_level_manager -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:wildfly_openssl:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "290F30D1-B0BF-42C3-B5EC-09746D88C2C6",
              "versionEndExcluding": "1.1.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7095200A-4DAC-4433-99E8-86CA88E1E4D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD354E32-A8B0-484C-B4C6-9FBCD3430D2D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7081652A-D28B-494E-94EF-CA88117F23EE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un fallo de p\u00e9rdida de memoria en WildFly OpenSSL en versiones anteriores a 1.1.3.Final, donde se elimina una sesi\u00f3n HTTP.\u0026#xa0;Puede permitir a un atacante causar OOM conllevando a una denegaci\u00f3n de servicio.\u0026#xa0;La mayor amenaza de esta vulnerabilidad es la disponibilidad del sistema"
    }
  ],
  "id": "CVE-2020-25644",
  "lastModified": "2024-11-21T05:18:19.370",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-10-06T14:15:12.760",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1885485"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/wildfly-security/wildfly-openssl-natives/pull/4/files"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://issues.redhat.com/browse/WFSSL-51"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20201016-0004/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1885485"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/wildfly-security/wildfly-openssl-natives/pull/4/files"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://issues.redhat.com/browse/WFSSL-51"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20201016-0004/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-401"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-401"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2023-12-14 18:15
Modified
2024-11-21 08:44
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Summary
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:7854Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:7855Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:7856Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:7857Exploit
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:7858Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2023-6563Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2253308Issue Tracking
secalert@redhat.comhttps://github.com/keycloak/keycloak/issues/13340Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:7854Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:7855Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:7856Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:7857Exploit
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:7858Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2023-6563Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2253308Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/keycloak/keycloak/issues/13340Issue Tracking
Impacted products
Vendor Product Version
redhat keycloak *
redhat single_sign-on 7.6
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
redhat single_sign-on -
redhat openshift_container_platform 4.11
redhat openshift_container_platform 4.12
redhat enterprise_linux 8.0
redhat openshift_container_platform_for_power 4.9
redhat openshift_container_platform_for_power 4.10
redhat enterprise_linux 8.0
redhat openshift_container_platform_for_ibm_linuxone 4.9
redhat openshift_container_platform_for_ibm_linuxone 4.10
redhat enterprise_linux 8.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DD663F41-3B6D-4AF0-9ABA-1F3BF292C632",
              "versionEndExcluding": "21.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "2DEC61BC-E699-456E-99B6-C049F2A5F23F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA983F8C-3A06-450A-AEFF-9429DE9A3454",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "40449571-22F8-44FA-B57B-B43F71AB25E2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "30E2CF79-2D56-48AB-952E-5DDAFE471073",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "54E24055-813B-4E6D-94B7-FAD5F78B8537",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "8C519B1A-1CD6-426C-9339-F28E4FEF581B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "91EE3858-A648-44B4-B282-8F808D88D3B9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (\u003e 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the \"consents\" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 una vulnerabilidad de consumo de memoria sin restricciones en Keycloak. Se puede activar en entornos que tienen millones de tokens fuera de l\u00ednea (\u0026gt; 500.000 usuarios, cada uno con al menos 2 sesiones guardadas). Si un atacante crea dos o m\u00e1s sesiones de usuario y luego abre la pesta\u00f1a \"consentimientos\" de la interfaz de usuario del administrador, la interfaz de usuario intenta cargar una gran cantidad de sesiones de clientes fuera de l\u00ednea, lo que genera un consumo excesivo de memoria y CPU, lo que potencialmente podr\u00eda bloquear todo el sistema."
    }
  ],
  "id": "CVE-2023-6563",
  "lastModified": "2024-11-21T08:44:06.483",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 4.0,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 4.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-12-14T18:15:45.540",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7854"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7855"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7856"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7857"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7858"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-6563"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253308"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/keycloak/keycloak/issues/13340"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7854"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7855"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7856"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7857"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7858"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-6563"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253308"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/keycloak/keycloak/issues/13340"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2020-05-11 21:15
Modified
2024-11-21 05:11
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1724Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1724Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak *
redhat openshift_application_runtimes -
redhat single_sign-on 7.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CB33B1DA-11E2-4378-B6F8-81BB5A556262",
              "versionEndExcluding": "9.0.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un fallo en Keycloak en versiones anteriores a 9.0.2. Este fallo permite a un usuario malicioso que actualmente est\u00e1 registrado, visualizar la informaci\u00f3n personal de un usuario que previamente a cerrado sesi\u00f3n en la secci\u00f3n del administrador de la cuenta."
    }
  ],
  "id": "CVE-2020-1724",
  "lastModified": "2024-11-21T05:11:14.767",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-05-11T21:15:11.487",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1724"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1724"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-613"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-613"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2020-07-24 16:15
Modified
2024-11-21 05:02
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take advantage and cause denial of service attack and make services unavailable.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14297Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14297Issue Tracking, Third Party Advisory
Impacted products
Vendor Product Version
redhat amq 2.0
redhat jboss-ejb-client *
redhat jboss_enterprise_application_platform_continuous_delivery -
redhat jboss_fuse 6.0.0
redhat openshift_application_runtimes -
redhat single_sign-on 7.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:amq:2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B6D3AF88-5812-4BB6-871F-C0EA39AD66AE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss-ejb-client:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "09D26C4C-4795-4D49-BA57-7242324B8E2A",
              "versionEndExcluding": "4.0.34",
              "versionStartIncluding": "1.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform_continuous_delivery:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "BEFE06C8-4BF0-4EC0-A848-BF16CFCCDA57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A305F012-544E-4245-9D69-1C8CD37748B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was discovered in Wildfly\u0027s EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take advantage and cause denial of service attack and make services unavailable."
    },
    {
      "lang": "es",
      "value": "Se detect\u00f3 un fallo en Wildfly\u0027s EJB Client que se incluy\u00f3 con Red Hat JBoss EAP 7, donde algunos objetos de transacci\u00f3n EJB espec\u00edficos pueden ser acumulados con el tiempo y pueden causar que los servicios se ralenticen y eventualmente no est\u00e9n disponibles. Un atacante puede tomar ventaja y causar un ataque de denegaci\u00f3n de servicio y hacer que los servicios no est\u00e9n disponibles"
    }
  ],
  "id": "CVE-2020-14297",
  "lastModified": "2024-11-21T05:02:57.103",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-07-24T16:15:11.803",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14297"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14297"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2019-10-14 15:15
Modified
2024-11-21 04:27
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Summary
A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:3082Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:3083Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:4018Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:4019Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:4020Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:4021Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:4040Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:4041Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:4042Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:4045Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2020:0728Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14838Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3082Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3083Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4018Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4019Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4020Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4021Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4040Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4041Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4042Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4045Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0728Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14838Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat wildfly_core 7.0.0
redhat wildfly_core 7.0.0
redhat wildfly_core 7.0.0
redhat wildfly_core 7.0.0
redhat wildfly_core 7.0.0
redhat wildfly_core 7.0.0
redhat wildfly_core 7.0.0
redhat wildfly_core 7.0.0
redhat jboss_enterprise_application_platform 7.2.0
redhat jboss_enterprise_application_platform 7.2.5
redhat jboss_enterprise_application_platform 7.3.0
redhat single_sign-on 7.3.5
redhat enterprise_linux 6.0
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat data_grid 7.3.4
redhat jboss_enterprise_application_platform 7.2.4


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:wildfly_core:7.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "15258168-5CD0-4A8B-A5D0-896CA3397D28",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:wildfly_core:7.0.0:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "681EBC09-DC0D-4413-AEA3-14186A5A19B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:wildfly_core:7.0.0:alpha2:*:*:*:*:*:*",
              "matchCriteriaId": "03CA82EE-605B-4F36-A4F2-E467111C681C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:wildfly_core:7.0.0:alpha3:*:*:*:*:*:*",
              "matchCriteriaId": "D8FED501-3BB4-4AD2-BB86-63D4BAC2D3C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:wildfly_core:7.0.0:alpha4:*:*:*:*:*:*",
              "matchCriteriaId": "F9C02C47-FE34-43C9-A15A-5B9817AE0DD3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:wildfly_core:7.0.0:alpha5:*:*:*:*:*:*",
              "matchCriteriaId": "AB09A234-34F4-40CB-A581-FB47B10A5839",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:wildfly_core:7.0.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "3D27164A-5C05-4F75-ACDB-4F45EE32402C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:wildfly_core:7.0.0:cr1:*:*:*:*:*:*",
              "matchCriteriaId": "A5C2FAE9-4EFE-4314-B4DB-0AD09229CB05",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0952BA1A-5DF9-400F-B01F-C3A398A8A2D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "1264FC76-49A5-4610-BAE9-207DFB114D67",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8B157A2D-3422-4224-82D9-15AB3B989075",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.3.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "AA806B33-C9E9-424E-8F77-7BF176BF973B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:data_grid:7.3.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "68D80172-F9D2-4564-8493-C500DD20CBDF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "9C50E1E7-9026-4A0C-95FF-16706128F672",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server"
    },
    {
      "lang": "es",
      "value": "Se detect\u00f3 un error en wildfly-core en versiones anteriores a la 7.2.5.GA. Los usuarios de administraci\u00f3n con funciones de monitor, auditor e implementador no deber\u00edan poder modificar el estado de tiempo de ejecuci\u00f3n del servidor"
    }
  ],
  "id": "CVE-2019-14838",
  "lastModified": "2024-11-21T04:27:28.240",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 5.2,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 0.9,
        "impactScore": 4.2,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-10-14T15:15:09.710",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3082"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3083"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4018"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4019"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4020"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4021"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4040"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4041"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4042"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4045"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0728"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14838"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3082"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3083"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4018"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4019"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4020"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4021"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4040"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4041"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4042"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4045"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0728"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14838"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-269"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2023-09-27 15:18
Modified
2024-11-21 08:16
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:4505Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:4506Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:4507Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:4509Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:4918Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:4919Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:4920Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:4921Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:4924Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:7247
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2023-3223Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2209689Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20231027-0004/
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:4505Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:4506Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:4507Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:4509Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:4918Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:4919Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:4920Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:4921Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:4924Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:7247
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2023-3223Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2209689Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20231027-0004/
Impacted products
Vendor Product Version
redhat undertow *
redhat openshift_container_platform 4.11
redhat openshift_container_platform 4.12
redhat openshift_container_platform_for_ibm_linuxone 4.9
redhat openshift_container_platform_for_ibm_linuxone 4.10
redhat openshift_container_platform_for_power 4.9
redhat openshift_container_platform_for_power 4.10
redhat enterprise_linux 8.0
redhat jboss_enterprise_application_platform_text-only_advisories -
redhat single_sign-on -
redhat single_sign-on 7.6
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
redhat jboss_enterprise_application_platform 7.4
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "ADFD3441-27E7-4993-9EB5-586534A49865",
              "versionEndExcluding": "2.2.24",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA983F8C-3A06-450A-AEFF-9429DE9A3454",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "40449571-22F8-44FA-B57B-B43F71AB25E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "8C519B1A-1CD6-426C-9339-F28E4FEF581B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "91EE3858-A648-44B4-B282-8F808D88D3B9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "30E2CF79-2D56-48AB-952E-5DDAFE471073",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "54E24055-813B-4E6D-94B7-FAD5F78B8537",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform_text-only_advisories:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "81E5B0F1-E150-4F22-9A9C-FB477540874C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "2DEC61BC-E699-456E-99B6-C049F2A5F23F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "645A908C-18C2-4AB1-ACE7-3969E3A552A5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it\u0027s possible to bypass the limit by setting the file name in the request to null."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una falla en el undertow. Los servlets anotados con @MultipartConfig pueden causar un OutOfMemoryError debido a un gran contenido multiparte. Esto puede permitir que usuarios no autorizados provoquen un ataque remoto de denegaci\u00f3n de servicio (DoS). Si el servidor usa fileSizeThreshold para limitar el tama\u00f1o del archivo, es posible evitar el l\u00edmite estableciendo el nombre del archivo en la solicitud en nulo."
    }
  ],
  "id": "CVE-2023-3223",
  "lastModified": "2024-11-21T08:16:44.037",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-09-27T15:18:56.457",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4505"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4506"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4507"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4509"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4918"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4919"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4920"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4921"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4924"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2023:7247"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-3223"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209689"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://security.netapp.com/advisory/ntap-20231027-0004/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4505"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4506"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4507"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4509"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4918"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4919"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4920"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4921"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:4924"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2023:7247"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-3223"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209689"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20231027-0004/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-789"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2020-02-10 15:15
Modified
2024-11-21 05:11
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1697Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1697Issue Tracking, Third Party Advisory
Impacted products
Vendor Product Version
redhat keycloak *
redhat single_sign-on 7.3


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5BB41E7C-AE34-41FF-AD28-573D002945FB",
              "versionEndExcluding": "9.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E939A0E0-3437-459E-9FAB-FE42811B1D32",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 en todas las versiones de keycloak anteriores a 9.0.0 que los enlaces de aplicaciones externas (Application Links) en la consola de administraci\u00f3n no est\u00e1n validados apropiadamente y podr\u00edan permitir ataques de tipo XSS almacenado. Un usuario malicioso autorizado podr\u00eda crear una URL para enga\u00f1ar a los usuarios en otras esferas y posiblemente conducir nuevos ataques."
    }
  ],
  "id": "CVE-2020-1697",
  "lastModified": "2024-11-21T05:11:11.520",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-02-10T15:15:21.497",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1697"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1697"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2019-07-25 21:15
Modified
2024-11-21 04:18
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:2935Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:2936Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:2937Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:2938Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:2998Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:3044Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:3045Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:3046Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:3050Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2020:0727Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10184Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://github.com/undertow-io/undertow/pull/794Patch, Third Party Advisory
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20220210-0016/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2935Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2936Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2937Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2938Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2998Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3044Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3045Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3046Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3050Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0727Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10184Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/undertow-io/undertow/pull/794Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20220210-0016/Third Party Advisory
Impacted products
Vendor Product Version
redhat undertow *
redhat jboss_data_grid -
redhat jboss_enterprise_application_platform -
redhat jboss_enterprise_application_platform 7.0.0
redhat openshift_application_runtimes -
redhat openshift_application_runtimes 1.0
redhat single_sign-on -
redhat single_sign-on 7.0
redhat jboss_enterprise_application_platform 7.2
redhat jboss_enterprise_application_platform 7.3
redhat jboss_enterprise_application_platform 7.4
redhat enterprise_linux 8.0
redhat jboss_enterprise_application_platform 7.2
redhat jboss_enterprise_application_platform 7.3
redhat jboss_enterprise_application_platform 7.4
redhat enterprise_linux 7.0
redhat jboss_enterprise_application_platform 7.2
redhat jboss_enterprise_application_platform 7.3
redhat enterprise_linux 6.0
redhat single_sign-on 7.3
redhat enterprise_linux 8.0
redhat single_sign-on 7.3
redhat enterprise_linux 7.0
redhat single_sign-on 7.3
redhat enterprise_linux 6.0
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AE049D0E-4028-4558-B08B-92D3A0716A93",
              "versionEndExcluding": "2.0.23",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "2BF03A52-4068-47EA-8846-1E5FB708CE1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "ADB40F59-CAAE-47D6-850C-12619D8D5B34",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "183C1FAB-3101-4155-BAA4-819EE997E436",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "645A908C-18C2-4AB1-ACE7-3969E3A552A5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "645A908C-18C2-4AB1-ACE7-3969E3A552A5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E939A0E0-3437-459E-9FAB-FE42811B1D32",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E939A0E0-3437-459E-9FAB-FE42811B1D32",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E939A0E0-3437-459E-9FAB-FE42811B1D32",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
              "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
              "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
              "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api."
    },
    {
      "lang": "es",
      "value": "Undertow en versiones anteriores a la 2.0.23.Final es vulnerable a un problema de fuga de informaci\u00f3n. Las aplicaciones web pueden tener sus estructuras de directorio predecibles a trav\u00e9s de solicitudes sin barras finales mediante la API."
    }
  ],
  "id": "CVE-2019-10184",
  "lastModified": "2024-11-21T04:18:36.287",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-07-25T21:15:11.473",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2935"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2936"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2937"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2938"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2998"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3044"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3045"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3046"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3050"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0727"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10184"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/undertow-io/undertow/pull/794"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220210-0016/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2935"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2936"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2937"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2938"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2998"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3044"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3045"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3046"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3050"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0727"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10184"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/undertow-io/undertow/pull/794"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220210-0016/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2023-12-14 22:15
Modified
2024-11-21 08:43
Severity ?
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:7854Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:7855Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:7856Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:7857Exploit, Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:7858Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:7860Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:7861Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0798
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0799
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0800
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0801
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0804
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2023-6134Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2249673Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:7854Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:7855Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:7856Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:7857Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:7858Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:7860Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:7861Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0798
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0799
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0800
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0801
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0804
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2023-6134Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2249673Issue Tracking
Impacted products
Vendor Product Version
redhat single_sign-on *
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
redhat keycloak *
redhat openshift_container_platform 4.11
redhat openshift_container_platform 4.12
redhat enterprise_linux 8.0
redhat openshift_container_platform_for_power 4.9
redhat openshift_container_platform_for_power 4.10
redhat enterprise_linux 8.0
redhat openshift_container_platform_ibm_z_systems 4.9
redhat openshift_container_platform_ibm_z_systems 4.10
redhat enterprise_linux 8.0
redhat single_sign-on -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "700E09EA-C73C-4F05-9B7D-D4894C29AEC9",
              "versionEndExcluding": "7.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "66A01C0F-CB27-4A62-9B86-C35CCD605AB6",
              "versionEndExcluding": "22.0.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA983F8C-3A06-450A-AEFF-9429DE9A3454",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "40449571-22F8-44FA-B57B-B43F71AB25E2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "30E2CF79-2D56-48AB-952E-5DDAFE471073",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "54E24055-813B-4E6D-94B7-FAD5F78B8537",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC262C4C-7B6A-4117-A50F-1FF69296DDD8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "E58526FB-522F-4AAC-B03C-9CAB443D0CFF",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una falla en Keycloak que impide ciertos esquemas en las redirecciones, pero los permite si se agrega un comod\u00edn al token. Este problema podr\u00eda permitir que un atacante env\u00ede una solicitud especialmente manipulada que d\u00e9 lugar a cross-site scripting (XSS) o m\u00e1s ataques. Esta falla es el resultado de una soluci\u00f3n incompleta para CVE-2020-10748."
    }
  ],
  "id": "CVE-2023-6134",
  "lastModified": "2024-11-21T08:43:12.193",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.6,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 2.5,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-12-14T22:15:44.087",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7854"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7855"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7856"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7857"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7858"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7860"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7861"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:0798"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:0799"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:0800"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:0801"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:0804"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-6134"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2249673"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7854"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7855"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7856"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7857"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7858"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7860"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:7861"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:0798"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:0799"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:0800"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:0801"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:0804"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-6134"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2249673"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2020-04-21 17:15
Modified
2024-11-21 05:11
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1757Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1757Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat undertow *
redhat undertow 2.0.0
redhat undertow 2.0.25
redhat undertow 2.0.26
redhat undertow 2.0.28
redhat undertow 2.0.28
redhat jboss_data_grid 7.0.0
redhat jboss_enterprise_application_platform 7.0.0
redhat jboss_fuse 6.0.0
redhat jboss_fuse 7.0.0
redhat openshift_application_runtimes -
redhat single_sign-on 7.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EDBDBF5-063C-46B8-B20B-C0508D2C7333",
              "versionEndExcluding": "2.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.0.0:sp1:*:*:*:*:*:*",
              "matchCriteriaId": "242ADB09-4679-419A-B7D8-CB97BC4914A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.0.25:sp1:*:*:*:*:*:*",
              "matchCriteriaId": "E2AFB127-09B5-4C57-9FBC-D9EF99A20629",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.0.26:sp3:*:*:*:*:*:*",
              "matchCriteriaId": "8A26525F-D91D-4009-84DA-A9A9646AF483",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.0.28:sp1:*:*:*:*:*:*",
              "matchCriteriaId": "BEDBD1BC-081D-436C-AF09-B3754C1EF6E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.0.28:sp2:*:*:*:*:*:*",
              "matchCriteriaId": "5F06B9E4-1F1E-436E-B515-2A9950545034",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD354E32-A8B0-484C-B4C6-9FBCD3430D2D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A305F012-544E-4245-9D69-1C8CD37748B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un fallo en todas las versiones undertow-2.x.x SP1 anteriores a undertow-2.0.30.SP1, en todas las versiones undertow-1.x.x y versiones undertow-2.x.x anteriores a undertow-2.1.0.Final, donde el contenedor de servlets causa que servletPath se normalice incorrectamente al truncar la ruta despu\u00e9s del punto y coma, lo que puede conllevar a un mapeo de la aplicaci\u00f3n resultando en la omisi\u00f3n de la seguridad."
    }
  ],
  "id": "CVE-2020-1757",
  "lastModified": "2024-11-21T05:11:19.333",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-04-21T17:15:12.957",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1757"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1757"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        },
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2020-11-02 21:15
Modified
2024-11-21 05:18
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689Exploit, Issue Tracking, Patch, Vendor Advisory
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20201123-0006/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689Exploit, Issue Tracking, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20201123-0006/Third Party Advisory
Impacted products
Vendor Product Version
redhat wildfly *
redhat fuse 6.0.0
redhat jboss_data_grid 7.0.0
redhat jboss_enterprise_application_platform 7.0.0
redhat jboss_fuse 7.0.0
redhat openshift_application_runtimes -
redhat single_sign-on 7.0
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp oncommand_insight -
netapp service_level_manager -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "03BD2B88-A2AB-479B-8AE9-EB044A920A43",
              "versionEndIncluding": "21.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:fuse:6.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD89A07A-0277-43E8-9363-F77A43C89406",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD354E32-A8B0-484C-B4C6-9FBCD3430D2D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
              "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
              "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
              "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7081652A-D28B-494E-94EF-CA88117F23EE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una fallo de filtrado de memoria en WildFly en todas las versiones hasta 21.0.0.Final, donde el controlador de host intenta reconectarse en un bucle, generando nuevas conexiones que no son cerradas apropiadamente mientras no es capaz de conectar al controlador de dominio.\u0026#xa0;Este fallo permite a un atacante causar un problema de Falta de Memoria (OOM), conllevando a una denegaci\u00f3n de servicio.\u0026#xa0;La mayor amenaza de esta vulnerabilidad es la disponibilidad del sistema"
    }
  ],
  "id": "CVE-2020-25689",
  "lastModified": "2024-11-21T05:18:28.603",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 6.8,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 3.6,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-11-02T21:15:27.647",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20201123-0006/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20201123-0006/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-401"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-401"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2024-11-07 10:15
Modified
2025-06-24 13:07
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.
References
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2023-1932Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1809444Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat codeready_studio 12.0
redhat jboss_enterprise_application_platform -
redhat jboss_enterprise_application_platform 7.0.0
redhat openstack_platform 13.0
redhat single_sign-on 7.0
hibernate hibernate-validator *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:codeready_studio:12.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1BAF877F-B8D5-4313-AC5C-26BB82006B30",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:continuous_delivery:*:*:*",
              "matchCriteriaId": "826F79C3-2106-46A3-9842-9ED8704723CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C52600BF-9E87-4CD2-91F3-685AFE478C1E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:hibernate:hibernate-validator:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9BF5ED10-9CD5-4CC2-A379-678E602A8C2B",
              "versionEndExcluding": "6.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in hibernate-validator\u0027s \u0027isValid\u0027 method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una falla en el m\u00e9todo \u0027isValid\u0027 de hibernate-validator en la clase org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator, que se puede evitar omitiendo la etiqueta que termina en un car\u00e1cter menor que. Los navegadores pueden mostrar un c\u00f3digo HTML no v\u00e1lido, lo que permite la inyecci\u00f3n de HTML o ataques de Cross-Site-Scripting (XSS)."
    }
  ],
  "id": "CVE-2023-1932",
  "lastModified": "2025-06-24T13:07:42.087",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-11-07T10:15:04.507",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-1932"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1809444"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2019-08-13 21:15
Modified
2025-01-14 19:29
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
References
cret@cert.orghttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.htmlMailing List, Third Party Advisory
cret@cert.orghttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.htmlMailing List, Third Party Advisory
cret@cert.orghttp://seclists.org/fulldisclosure/2019/Aug/16Mailing List, Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2766Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2796Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2861Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2925Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2939Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2955Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:3892Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4018Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4019Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4020Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4021Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4040Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4041Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4042Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4045Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4352Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2020:0727Third Party Advisory
cret@cert.orghttps://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.mdThird Party Advisory
cret@cert.orghttps://kb.cert.org/vuls/id/605641/Third Party Advisory, US Government Resource
cret@cert.orghttps://kc.mcafee.com/corporate/index?page=content&id=SB10296Third Party Advisory
cret@cert.orghttps://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E
cret@cert.orghttps://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E
cret@cert.orghttps://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E
cret@cert.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/
cret@cert.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/
cret@cert.orghttps://seclists.org/bugtraq/2019/Aug/24Mailing List, Third Party Advisory
cret@cert.orghttps://seclists.org/bugtraq/2019/Aug/43Mailing List, Third Party Advisory
cret@cert.orghttps://seclists.org/bugtraq/2019/Sep/18Mailing List, Third Party Advisory
cret@cert.orghttps://security.netapp.com/advisory/ntap-20190823-0005/Third Party Advisory
cret@cert.orghttps://support.f5.com/csp/article/K50233772Third Party Advisory
cret@cert.orghttps://support.f5.com/csp/article/K50233772?utm_source=f5support&amp%3Butm_medium=RSS
cret@cert.orghttps://usn.ubuntu.com/4308-1/Third Party Advisory
cret@cert.orghttps://www.debian.org/security/2019/dsa-4508Third Party Advisory
cret@cert.orghttps://www.debian.org/security/2019/dsa-4520Third Party Advisory
cret@cert.orghttps://www.synology.com/security/advisory/Synology_SA_19_33Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2019/Aug/16Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2766Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2796Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2861Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2925Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2939Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2955Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3892Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4018Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4019Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4020Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4021Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4040Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4041Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4042Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4045Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4352Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0727Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.mdThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://kb.cert.org/vuls/id/605641/Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108https://kc.mcafee.com/corporate/index?page=content&id=SB10296Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/
af854a3a-2127-422b-91ae-364da2661108https://seclists.org/bugtraq/2019/Aug/24Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://seclists.org/bugtraq/2019/Aug/43Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://seclists.org/bugtraq/2019/Sep/18Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20190823-0005/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://support.f5.com/csp/article/K50233772Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://support.f5.com/csp/article/K50233772?utm_source=f5support&amp%3Butm_medium=RSS
af854a3a-2127-422b-91ae-364da2661108https://usn.ubuntu.com/4308-1/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2019/dsa-4508Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2019/dsa-4520Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.synology.com/security/advisory/Synology_SA_19_33Third Party Advisory
Impacted products
Vendor Product Version
apple swiftnio *
apple mac_os_x *
canonical ubuntu_linux *
apache traffic_server *
apache traffic_server *
apache traffic_server *
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 19.04
debian debian_linux 9.0
debian debian_linux 10.0
synology skynas -
synology diskstation_manager 6.2
synology vs960hd_firmware -
synology vs960hd -
fedoraproject fedora 29
fedoraproject fedora 30
opensuse leap 15.0
opensuse leap 15.1
redhat jboss_core_services 1.0
redhat jboss_enterprise_application_platform 7.2.0
redhat jboss_enterprise_application_platform 7.3.0
redhat openshift_container_platform 4.1
redhat openshift_service_mesh 1.0
redhat openstack 14
redhat quay 3.0.0
redhat single_sign-on 7.3
redhat software_collections 1.0
redhat enterprise_linux 8.0
oracle graalvm 19.2.0
mcafee web_gateway *
mcafee web_gateway *
mcafee web_gateway *
f5 big-ip_local_traffic_manager *
f5 big-ip_local_traffic_manager *
f5 big-ip_local_traffic_manager *
f5 big-ip_local_traffic_manager *
f5 big-ip_local_traffic_manager *
f5 big-ip_local_traffic_manager *
nodejs node.js *
nodejs node.js *
nodejs node.js *
nodejs node.js *
nodejs node.js *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apple:swiftnio:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "93988E60-006B-434D-AB16-1FA1D2FEBC2A",
              "versionEndIncluding": "1.4.0",
              "versionStartIncluding": "1.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1D294D56-E784-4DA8-9C2C-BC5A05C92C0C",
              "versionStartIncluding": "10.12",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "65B1D2F6-BC1F-47AF-B4E6-4B50986AC622",
              "versionStartIncluding": "14.04",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "603BF43B-FC99-4039-A3C0-467F015A32FA",
              "versionEndIncluding": "6.2.3",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "07BB02CE-D4F2-459C-B0C6-FF78BF7996AE",
              "versionEndIncluding": "7.1.6",
              "versionStartIncluding": "7.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D875E0D8-D109-4F7F-A4C4-9EDD66CEE74E",
              "versionEndIncluding": "8.0.3",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
              "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
              "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD783B0C-9246-47D9-A937-6144FE8BFF0F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:synology:skynas:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7C997777-BE79-4F77-90D7-E1A71D474D88",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:synology:vs960hd_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "3D0C5120-B961-440F-B454-584BC54B549C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:synology:vs960hd:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "1CCBDFF9-AF42-4681-879B-CF789EBAD130",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*",
              "matchCriteriaId": "D100F7CE-FC64-4CC6-852A-6136D72DA419",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
              "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_core_services:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2466282-51AB-478D-9FF4-FA524265ED2E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0952BA1A-5DF9-400F-B01F-C3A398A8A2D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8B157A2D-3422-4224-82D9-15AB3B989075",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "064E7BDD-4EF0-4A0D-A38D-8C75BAFEDCEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "732F14CE-7994-4DD2-A28B-AE9E79826C01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*",
              "matchCriteriaId": "EB7F358B-5E56-41AB-BB8A-23D3CB7A248B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B1987BDA-0113-4603-B9BE-76647EB043F2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E939A0E0-3437-459E-9FAB-FE42811B1D32",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9D7EE4B6-A6EC-4B9B-91DF-79615796673F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:graalvm:19.2.0:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "C120C2F1-D50D-49CC-8E96-207ACCA49674",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "765E9856-2748-4A8B-91F5-A4DB3C8C547A",
              "versionEndExcluding": "7.7.2.24",
              "versionStartIncluding": "7.7.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EE6E66B1-3291-4E8E-93D6-30E9FDCF983E",
              "versionEndExcluding": "7.8.2.13",
              "versionStartIncluding": "7.8.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "227104AD-396D-4ADD-87C7-C4CD5583DA04",
              "versionEndExcluding": "8.2.0",
              "versionStartIncluding": "8.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "99C12BA5-2D81-4973-824E-2BDDA70F2485",
              "versionEndExcluding": "11.6.5.1",
              "versionStartIncluding": "11.6.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "591EA641-C103-4575-97D5-15D41B20E581",
              "versionEndExcluding": "12.1.5.1",
              "versionStartIncluding": "12.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A3F3F4FD-8BB9-468D-B50F-B25B17AF0F3A",
              "versionEndExcluding": "13.1.3.2",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "63529AEA-8B74-4CA1-BADF-14514D243DC5",
              "versionEndExcluding": "14.0.1.1",
              "versionStartIncluding": "14.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A4D87CCF-ED81-4B69-9D02-D5B79082E0FF",
              "versionEndExcluding": "14.1.2.1",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5485F6ED-F324-4124-9116-79E70909C5F7",
              "versionEndExcluding": "15.0.1.1",
              "versionStartIncluding": "15.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "74FB695D-2C76-47AB-988E-5629D2E695E5",
              "versionEndIncluding": "8.8.1",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*",
              "matchCriteriaId": "CFC0252A-DF1D-4CF4-B450-27267227B599",
              "versionEndExcluding": "8.16.1",
              "versionStartIncluding": "8.9.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "25A3180B-21AF-4010-9DAB-41ADFD2D8031",
              "versionEndIncluding": "10.12.0",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*",
              "matchCriteriaId": "2EC65858-FF7B-4171-82EA-80942D426F40",
              "versionEndExcluding": "10.16.3",
              "versionStartIncluding": "10.13.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "F522C500-AA33-4029-865F-F27FB00A354E",
              "versionEndExcluding": "12.8.1",
              "versionStartIncluding": "12.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both."
    },
    {
      "lang": "es",
      "value": "Algunas implementaciones de HTTP / 2 son vulnerables a una inundaci\u00f3n de configuraciones, lo que puede conducir a una denegaci\u00f3n de servicio. El atacante env\u00eda una secuencia de marcos de CONFIGURACI\u00d3N al par. Como el RFC requiere que el igual responda con un acuse de recibo por cuadro de CONFIGURACI\u00d3N, un cuadro de CONFIGURACI\u00d3N vac\u00edo es casi equivalente en comportamiento a un ping. Dependiendo de cu\u00e1n eficientemente se pongan en cola estos datos, esto puede consumir un exceso de CPU, memoria o ambos."
    }
  ],
  "id": "CVE-2019-9515",
  "lastModified": "2025-01-14T19:29:55.853",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 7.8,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "cret@cert.org",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-08-13T21:15:12.520",
  "references": [
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2766"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2796"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2861"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2925"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2939"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2955"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3892"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4018"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4019"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4020"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4021"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4040"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4041"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4042"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4045"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4352"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0727"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://kb.cert.org/vuls/id/605641/"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
    },
    {
      "source": "cret@cert.org",
      "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
    },
    {
      "source": "cret@cert.org",
      "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
    },
    {
      "source": "cret@cert.org",
      "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
    },
    {
      "source": "cret@cert.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
    },
    {
      "source": "cret@cert.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Aug/24"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Aug/43"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Sep/18"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://support.f5.com/csp/article/K50233772"
    },
    {
      "source": "cret@cert.org",
      "url": "https://support.f5.com/csp/article/K50233772?utm_source=f5support\u0026amp%3Butm_medium=RSS"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://usn.ubuntu.com/4308-1/"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2019/dsa-4508"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2019/dsa-4520"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2766"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2796"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2861"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2925"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2939"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2955"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3892"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4018"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4019"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4020"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4021"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4040"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4041"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4042"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4045"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4352"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0727"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://kb.cert.org/vuls/id/605641/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Aug/24"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Aug/43"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Sep/18"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://support.f5.com/csp/article/K50233772"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://support.f5.com/csp/article/K50233772?utm_source=f5support\u0026amp%3Butm_medium=RSS"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://usn.ubuntu.com/4308-1/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2019/dsa-4508"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2019/dsa-4520"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
    }
  ],
  "sourceIdentifier": "cret@cert.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "cret@cert.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2020-09-16 16:15
Modified
2024-11-21 04:56
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1843849Issue Tracking, Mitigation, Vendor Advisory
secalert@redhat.comhttps://github.com/keycloak/keycloak/commit/bee4ca89897766c4b68856eafe14f1a3dad34251Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1843849Issue Tracking, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/keycloak/keycloak/commit/bee4ca89897766c4b68856eafe14f1a3dad34251Patch, Third Party Advisory
Impacted products
Vendor Product Version
redhat keycloak *
redhat openshift_application_runtimes -
redhat openshift_application_runtimes 1.0
redhat single_sign-on -
redhat single_sign-on 7.0
redhat single_sign-on 7.4


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "523EF2BD-1C36-4166-B099-D1593691BDAA",
              "versionEndExcluding": "11.0.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "ADB40F59-CAAE-47D6-850C-12619D8D5B34",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "183C1FAB-3101-4155-BAA4-819EE997E436",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "F62A7110-16D5-4633-A521-9CECD267773B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una vulnerabilidad en Keycloak versiones anteriores a 11.0.1, donde el ataque de DoS es posible mediante el env\u00edo de veinte peticiones simult\u00e1neamente hacia el servidor de keycloak especificado, todas con un valor de encabezado Content-Length que excede el conteo de bytes real del cuerpo de la petici\u00f3n"
    }
  ],
  "id": "CVE-2020-10758",
  "lastModified": "2024-11-21T04:56:00.697",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-09-16T16:15:14.797",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843849"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/keycloak/keycloak/commit/bee4ca89897766c4b68856eafe14f1a3dad34251"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843849"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/keycloak/keycloak/commit/bee4ca89897766c4b68856eafe14f1a3dad34251"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2024-09-09 19:15
Modified
2024-10-04 12:48
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6493Mailing List
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6494Mailing List
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6495Mailing List
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6497Mailing List
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6499Mailing List
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6500Mailing List
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6501Mailing List
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6502Mailing List
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6503Mailing List
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2024-7341Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2302064Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak *
redhat single_sign-on *
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
redhat build_of_keycloak *
redhat build_of_keycloak *
redhat single_sign-on -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9DF1E078-5CC4-42CE-BE81-27A8B47D4616",
              "versionEndIncluding": "25.0.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "92BC930F-97E8-4FA9-80C5-3A8DB327990B",
              "versionEndExcluding": "7.6.10",
              "versionStartIncluding": "7.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "62171FB0-B5A2-4127-90AE-46F8630FDF2C",
              "versionEndExcluding": "22.0.12",
              "versionStartIncluding": "22.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5BEDEAB7-7C93-4274-8696-3A8EDCF87043",
              "versionEndExcluding": "24.0.7",
              "versionStartIncluding": "24.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema de fijaci\u00f3n de sesi\u00f3n en los adaptadores SAML proporcionados por Keycloak. El ID de sesi\u00f3n y la cookie JSESSIONID no se modifican en el momento de iniciar sesi\u00f3n, incluso cuando est\u00e1 configurada la opci\u00f3n turnOffChangeSessionIdOnLogin. Esta falla permite que un atacante que secuestra la sesi\u00f3n actual antes de la autenticaci\u00f3n active la fijaci\u00f3n de sesi\u00f3n."
    }
  ],
  "id": "CVE-2024-7341",
  "lastModified": "2024-10-04T12:48:43.523",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-09-09T19:15:14.450",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6493"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6494"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6495"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6497"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6499"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6500"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6501"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6502"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6503"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2024-7341"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302064"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-384"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2022-08-31 16:15
Modified
2024-11-21 06:40
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629.
References
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2022-1259Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2072339Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20221014-0006/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2022-1259Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2072339Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20221014-0006/Third Party Advisory
Impacted products
Vendor Product Version
redhat build_of_quarkus -
redhat integration_camel_k -
redhat jboss_enterprise_application_platform 7.0.0
redhat openshift_application_runtimes -
redhat single_sign-on 7.0
redhat undertow *
redhat undertow 2.2.18
redhat undertow 2.2.19
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp oncommand_insight -
netapp oncommand_workflow_automation -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "CE29B9D6-63DC-4779-ACE8-4E51E6A0AF37",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B87C8AD3-8878-4546-86C2-BF411876648C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "41DB9F22-47FB-4D66-9EA0-10BAFE1D9EE5",
              "versionEndIncluding": "2.2.17",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.2.18:*:*:*:*:*:*:*",
              "matchCriteriaId": "69DCCF80-32AD-4E27-871D-0FE5DF57CEF6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.2.19:*:*:*:*:*:*:*",
              "matchCriteriaId": "F5E73C11-3855-4A12-90A9-3AB29235BB57",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
              "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
              "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
              "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0F202E8-97E6-4BBB-A0B6-4CA3F5803C08",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629."
    },
    {
      "lang": "es",
      "value": "Se ha encontrado un fallo en Undertow. Un posible problema de seguridad en la administraci\u00f3n del control de flujo por parte del navegador sobre HTTP/2 puede causar una sobrecarga o una denegaci\u00f3n de servicio en el servidor. Este fallo se presenta debido a una correcci\u00f3n incompleta de CVE-2021-3629"
    }
  ],
  "id": "CVE-2022-1259",
  "lastModified": "2024-11-21T06:40:21.637",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-08-31T16:15:09.230",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2022-1259"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072339"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20221014-0006/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2022-1259"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072339"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20221014-0006/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2022-05-24 19:15
Modified
2024-11-21 06:21
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1970930Issue Tracking, Third Party Advisory
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20220804-0003/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1970930Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20220804-0003/Third Party Advisory
Impacted products
Vendor Product Version
redhat fuse 1.0
redhat jboss_enterprise_application_platform -
redhat openshift_application_runtimes -
redhat single_sign-on -
redhat undertow *
redhat undertow *
redhat undertow 2.0.35
redhat undertow 2.0.36
redhat undertow 2.0.39
redhat undertow 2.2.6
redhat undertow 2.2.7
redhat undertow 2.2.9
redhat jboss_enterprise_application_platform 7.3
redhat jboss_enterprise_application_platform 7.4
redhat enterprise_linux 6.0
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp oncommand_insight -
netapp oncommand_workflow_automation -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "077732DB-F5F3-4E9C-9AC0-8142AB85B32F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "ADB40F59-CAAE-47D6-850C-12619D8D5B34",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1BAD876A-2A44-4217-AD8E-723F6C659D6B",
              "versionEndExcluding": "2.0.35",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F9364241-A687-4277-BD0A-23875980F7BA",
              "versionEndExcluding": "2.2.6",
              "versionStartIncluding": "2.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.0.35:-:*:*:*:*:*:*",
              "matchCriteriaId": "1606D630-BD33-4D6C-AB09-E21567B9DAD7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.0.36:-:*:*:*:*:*:*",
              "matchCriteriaId": "4F6461F3-EE16-4F87-BB63-BF76458B7B57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.0.39:-:*:*:*:*:*:*",
              "matchCriteriaId": "600AB6B3-6091-49DF-AA7D-E4400F69D61F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.2.6:-:*:*:*:*:*:*",
              "matchCriteriaId": "BA47D051-72D8-4AA8-90FA-04B8CA1C9FE5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.2.7:-:*:*:*:*:*:*",
              "matchCriteriaId": "8BEC107E-11EE-497D-834C-CCF5921C0CE1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.2.9:-:*:*:*:*:*:*",
              "matchCriteriaId": "A1530774-1A8C-46D0-85BE-AC1A9CA0071E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "645A908C-18C2-4AB1-ACE7-3969E3A552A5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
              "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
              "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
              "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final."
    },
    {
      "lang": "es",
      "value": "Se ha encontrado un fallo en Undertow. El HTTP2SourceChannel no escribe la \u00faltima trama en algunas circunstancias, resultando en una denegaci\u00f3n de servicio. La mayor amenaza de esta vulnerabilidad es la disponibilidad. Este fallo afecta a Undertow versiones anteriores a 2.0.35.SP1, anteriores a 2.2.6.SP1, anteriores a 2.2.7.SP1, anteriores a 2.0.36.SP1, anteriores a 2.2.9.Final y anteriores a 2.0.39.Final"
    }
  ],
  "id": "CVE-2021-3597",
  "lastModified": "2024-11-21T06:21:56.077",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 2.6,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 4.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-05-24T19:15:09.037",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1970930"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220804-0003/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1970930"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220804-0003/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-362"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-362"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2020-05-13 19:15
Modified
2024-11-21 05:11
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://github.com/keycloak/keycloak/pull/7053Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/keycloak/keycloak/pull/7053Patch, Third Party Advisory
Impacted products
Vendor Product Version
redhat keycloak *
redhat decision_manager 7.0
redhat jboss_fuse 7.0.0
redhat openshift_application_runtimes -
redhat process_automation 7.0
redhat single_sign-on 7.0
quarkus quarkus *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "255305D5-BC40-46ED-9937-1904D210885F",
              "versionEndExcluding": "11.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "68146098-58F8-417E-B165-5182527117C4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "20A6B40D-F991-4712-8E30-5FE008505CB7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DAD20C55-1888-477C-923F-B25E8B5CD239",
              "versionEndIncluding": "1.4.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution."
    },
    {
      "lang": "es",
      "value": "Se detect\u00f3 un fallo en Keycloak versiones anteriores a 11.0.0, donde la base de c\u00f3digo contiene usos de la funci\u00f3n ObjectInputStream sin ning\u00fan tipo de comprobaciones. Este fallo permite a un atacante inyectar Objetos Java serializados arbitrariamente, que luego se deserializar\u00e1n en un contexto privilegiado y conlleva potencialmente a una ejecuci\u00f3n  de c\u00f3digo remota."
    }
  ],
  "id": "CVE-2020-1714",
  "lastModified": "2024-11-21T05:11:13.600",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.9,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-05-13T19:15:11.987",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/keycloak/keycloak/pull/7053"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/keycloak/keycloak/pull/7053"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2024-04-17 14:15
Modified
2025-06-30 13:58
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Summary
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:1860Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:1861Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:1862Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:1864Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:1866Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:1867Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:1868Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:2945Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:3752Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:3762Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:3919Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:3989Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2024-1132Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2262117Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:1860Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:1861Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:1862Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:1864Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:1866Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:1867Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:1868Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:2945Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:3752Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:3762Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:3919Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:3989Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2024-1132Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2262117Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat build_of_keycloak -
redhat jboss_middleware_text-only_advisories 1.0
redhat keycloak *
redhat keycloak *
redhat migration_toolkit_for_applications 1.0
redhat migration_toolkit_for_runtimes -
redhat openshift_container_platform 4.11
redhat openshift_container_platform 4.12
redhat openshift_container_platform_for_ibm_z 4.9
redhat openshift_container_platform_for_ibm_z 4.10
redhat openshift_container_platform_for_linuxone 4.9
redhat openshift_container_platform_for_linuxone 4.10
redhat openshift_container_platform_for_power 4.9
redhat openshift_container_platform_for_power 4.10
redhat single_sign-on -
redhat single_sign-on 7.6


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "1830E455-7E11-4264-862D-05971A42D4A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:*:*:*:*:middleware:*:*",
              "matchCriteriaId": "A0FED4EE-0AE2-4BD8-8DAC-143382E4DB7C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CA401385-9C98-42B9-8FEC-4863201682F9",
              "versionEndExcluding": "22.0.10",
              "versionStartIncluding": "21.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6392BA3C-DA57-4640-BB46-C11E9EC3DAED",
              "versionEndExcluding": "24.0.3",
              "versionStartIncluding": "23.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:migration_toolkit_for_applications:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "99552EC4-6484-4274-B2CC-45EEFB1D2506",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:migration_toolkit_for_runtimes:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F979A5E3-7FFB-45F1-9847-FFBAF0B12067",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA983F8C-3A06-450A-AEFF-9429DE9A3454",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "40449571-22F8-44FA-B57B-B43F71AB25E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "01B0F191-ADDB-4AAE-A5C5-5CC16909E64A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD75BCB4-F0E1-4C05-A2D7-001503C805C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "B02036DD-4489-480B-B7D4-4EB08952377B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7E78C55-45B6-4E01-9773-D3468F8EA9C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "30E2CF79-2D56-48AB-952E-5DDAFE471073",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "54E24055-813B-4E6D-94B7-FAD5F78B8537",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "2DEC61BC-E699-456E-99B6-C049F2A5F23F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una falla en Keycloak, donde no valida correctamente las URL incluidas en una redirecci\u00f3n. Este problema podr\u00eda permitir a un atacante crear una solicitud maliciosa para eludir la validaci\u00f3n y acceder a otras URL e informaci\u00f3n confidencial dentro del dominio o realizar m\u00e1s ataques. Esta falla afecta a cualquier cliente que utilice un comod\u00edn en el campo URI de redireccionamiento v\u00e1lido y requiere la interacci\u00f3n del usuario dentro de la URL maliciosa."
    }
  ],
  "id": "CVE-2024-1132",
  "lastModified": "2025-06-30T13:58:57.033",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-04-17T14:15:07.953",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:1860"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:1861"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:1862"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:1864"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:1866"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:1867"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:1868"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:2945"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:3752"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:3762"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:3919"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:3989"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2024-1132"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262117"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:1860"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:1861"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:1862"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:1864"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:1866"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:1867"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:1868"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:2945"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:3752"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:3762"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:3919"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:3989"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2024-1132"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262117"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2020-01-07 17:15
Modified
2024-11-21 04:27
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks. Versions shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7 are vulnerable to this issue.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14843Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14843Issue Tracking, Patch, Third Party Advisory
Impacted products
Vendor Product Version
redhat single_sign-on 7.3
redhat jboss_enterprise_application_platform 7.2.0
redhat jboss_enterprise_application_platform 7.2.0
redhat single_sign-on -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E939A0E0-3437-459E-9FAB-FE42811B1D32",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0952BA1A-5DF9-400F-B01F-C3A398A8A2D4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0952BA1A-5DF9-400F-B01F-C3A398A8A2D4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks. Versions shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7 are vulnerable to this issue."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un fallo en Wildfly Security Manager, ejecutado bajo JDK versi\u00f3n 11 o 8, que autoriz\u00f3 peticiones de cualquier solicitante. Este fallo podr\u00eda ser utilizado por una aplicaci\u00f3n maliciosa implementada en el servidor de aplicaciones para acceder a informaci\u00f3n no autorizada y posiblemente dirigir nuevos ataques. Las versiones incluidas con Red Hat Jboss EAP versi\u00f3n 7 y Red Hat SSO versi\u00f3n 7, son vulnerables a este problema."
    }
  ],
  "id": "CVE-2019-14843",
  "lastModified": "2024-11-21T04:27:28.913",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.9,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-01-07T17:15:11.143",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14843"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14843"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-592"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2023-12-21 10:15
Modified
2024-11-21 07:58
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Summary
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:3883Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:3884Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:3885Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:3888Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:3892Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2023-2585Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2196335Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:3883Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:3884Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:3885Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:3888Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:3892Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2023-2585Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2196335Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat single_sign-on 7.6
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
redhat openshift_container_platform 4.11
redhat openshift_container_platform 4.12
redhat openshift_container_platform_for_ibm_z 4.9
redhat openshift_container_platform_for_ibm_z 4.10
redhat openshift_container_platform_for_linuxone 4.9
redhat openshift_container_platform_for_linuxone 4.10
redhat openshift_container_platform_for_power 4.9
redhat openshift_container_platform_for_power 4.10
redhat enterprise_linux 8.0
redhat single_sign-on -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "2DEC61BC-E699-456E-99B6-C049F2A5F23F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA983F8C-3A06-450A-AEFF-9429DE9A3454",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "40449571-22F8-44FA-B57B-B43F71AB25E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "01B0F191-ADDB-4AAE-A5C5-5CC16909E64A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD75BCB4-F0E1-4C05-A2D7-001503C805C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "B02036DD-4489-480B-B7D4-4EB08952377B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7E78C55-45B6-4E01-9773-D3468F8EA9C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "30E2CF79-2D56-48AB-952E-5DDAFE471073",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "54E24055-813B-4E6D-94B7-FAD5F78B8537",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Keycloak\u0027s device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client."
    },
    {
      "lang": "es",
      "value": "La concesi\u00f3n de autorizaci\u00f3n del dispositivo de Keycloak no valida correctamente el c\u00f3digo del dispositivo y la identificaci\u00f3n del cliente. Un cliente atacante podr\u00eda abusar de la validaci\u00f3n faltante para falsificar una solicitud de consentimiento del cliente y enga\u00f1ar a un administrador de autorizaci\u00f3n para que otorgue el consentimiento a un cliente OAuth malicioso o un posible acceso no autorizado a un cliente OAuth existente."
    }
  ],
  "id": "CVE-2023-2585",
  "lastModified": "2024-11-21T07:58:52.737",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 0.9,
        "impactScore": 2.5,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-12-21T10:15:34.533",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3883"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3884"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3885"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3888"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3892"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-2585"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196335"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3883"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3884"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3885"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3888"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:3892"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-2585"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2196335"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-358"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2022-04-01 23:15
Modified
2024-11-21 06:21
Severity ?
7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Summary
A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name].
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1941565Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1941565Issue Tracking, Patch, Third Party Advisory
Impacted products
Vendor Product Version
redhat keycloak 9.0.13
redhat single_sign-on 7.0
redhat single_sign-on 7.4
redhat single_sign-on 7.4.7


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:9.0.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "D0DDBC85-8DAC-4D1A-A91F-5300D7B71B04",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "F62A7110-16D5-4633-A521-9CECD267773B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.4.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "2B0D1840-AFEF-4CD4-8D18-4EEF22B6AB36",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name]."
    },
    {
      "lang": "es",
      "value": "Se ha encontrado un fallo en keycloak por el que keycloak puede fallar al cerrar la sesi\u00f3n del usuario si la petici\u00f3n de cierre de sesi\u00f3n proviene de un proveedor de identidad SAML externo y el tipo de principal est\u00e1 configurado como atributo [nombre]"
    }
  ],
  "id": "CVE-2021-3461",
  "lastModified": "2024-11-21T06:21:35.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 3.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.4,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-04-01T23:15:10.460",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1941565"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1941565"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-613"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-613"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2021-03-08 22:15
Modified
2024-11-21 05:21
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Summary
A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1906797Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1906797Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak *
redhat single_sign-on 7.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6C59F338-CA05-4F1D-84DA-246111636A0E",
              "versionEndExcluding": "13.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un fallo en keycloak en versiones anteriores a 13.0.0.\u0026#xa0;El endpoint de registro de clientes permite obtener informaci\u00f3n sobre clientes P\u00daBLICOS (como el secreto del cliente) sin autenticaci\u00f3n, lo que podr\u00eda ser un problema si el mismo cliente P\u00daBLICO cambiara a CONFIDENCIAL m\u00e1s adelante.\u0026#xa0;La mayor amenaza de esta vulnerabilidad es la confidencialidad de los datos"
    }
  ],
  "id": "CVE-2020-27838",
  "lastModified": "2024-11-21T05:21:54.503",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-03-08T22:15:13.423",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1906797"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1906797"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2023-12-18 23:15
Modified
2024-11-21 08:44
Severity ?
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0094
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0095
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0096
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0097
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0098
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0100
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0101
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0798
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0799
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0800
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0801
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:0804
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2023-6927Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2255027Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0094
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0095
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0096
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0097
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0098
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0100
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0101
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0798
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0799
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0800
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0801
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:0804
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2023-6927Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2255027Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak -
redhat single_sign-on 7.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6E0DE4E1-5D8D-40F3-8AC8-C7F736966158",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode \"form_post.jwt\" which could be used to bypass the security patch implemented to address CVE-2023-6134."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una falla en Keycloak. Este problema puede permitir que un atacante robe c\u00f3digos de autorizaci\u00f3n o tokens de clientes usando un comod\u00edn en el modo de respuesta JARM \"form_post.jwt\" que podr\u00eda usarse para eludir el parche de seguridad implementado para abordar CVE-2023-6134."
    }
  ],
  "id": "CVE-2023-6927",
  "lastModified": "2024-11-21T08:44:51.110",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.6,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 2.5,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-12-18T23:15:10.027",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:0094"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:0095"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:0096"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:0097"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:0098"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:0100"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:0101"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:0798"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:0799"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:0800"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:0801"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:0804"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-6927"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255027"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:0094"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:0095"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:0096"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:0097"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:0098"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:0100"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:0101"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:0798"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:0799"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:0800"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:0801"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2024:0804"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-6927"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255027"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2019-10-02 19:15
Modified
2024-11-21 04:18
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2019:2998Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2020:0727Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10212Issue Tracking, Mitigation, Vendor Advisory
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20220210-0017/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2998Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0727Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10212Issue Tracking, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20220210-0017/Third Party Advisory
Impacted products
Vendor Product Version
redhat undertow *
redhat jboss_data_grid *
redhat jboss_data_grid -
redhat jboss_enterprise_application_platform -
redhat jboss_fuse *
redhat openshift_application_runtimes -
redhat single_sign-on *
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
redhat jboss_enterprise_application_platform 7.2
redhat jboss_enterprise_application_platform 7.3
redhat jboss_enterprise_application_platform 7.4
redhat enterprise_linux 8.0
redhat jboss_enterprise_application_platform 7.2
redhat jboss_enterprise_application_platform 7.3
redhat jboss_enterprise_application_platform 7.4
redhat enterprise_linux 7.0
redhat jboss_enterprise_application_platform 7.2
redhat jboss_enterprise_application_platform 7.3
redhat enterprise_linux 6.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D92CBDEE-B201-4457-B870-89910D746221",
              "versionEndExcluding": "2.0.20",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_data_grid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0071A5C4-0204-4043-89F4-5BCD9B1B0497",
              "versionEndIncluding": "7.3",
              "versionStartIncluding": "7.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "2BF03A52-4068-47EA-8846-1E5FB708CE1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_fuse:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "46A8F2BB-F64B-400F-BE0B-7E1AD0AEBD5D",
              "versionEndIncluding": "7.4",
              "versionStartIncluding": "7.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "ADB40F59-CAAE-47D6-850C-12619D8D5B34",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "518027E2-CE5F-42E4-85B0-79A33B452C9D",
              "versionEndIncluding": "7.3",
              "versionStartIncluding": "7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
              "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
              "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
              "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "645A908C-18C2-4AB1-ACE7-3969E3A552A5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "645A908C-18C2-4AB1-ACE7-3969E3A552A5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user\u0027s credentials from the log files."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un fallo en, todas las versiones por debajo de la 2.0.20, en el registro DEBUG de Undertow para io.undertow.request.security. Si est\u00e1 habilitado, un atacante podr\u00eda abusar de este fallo para conseguir las credenciales del usuario de los archivos de registro."
    }
  ],
  "id": "CVE-2019-10212",
  "lastModified": "2024-11-21T04:18:39.980",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 0.5,
        "impactScore": 4.2,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-10-02T19:15:11.703",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2998"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0727"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10212"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220210-0017/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2998"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0727"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10212"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220210-0017/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-532"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-532"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2019-11-08 15:15
Modified
2025-07-07 14:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2020:0159Third Party Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2020:0160Third Party Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2020:0161Third Party Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2020:0164Third Party Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2020:0445Third Party Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219Issue Tracking, Third Party Advisory
secalert@redhat.comhttps://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56cee
secalert@redhat.comhttps://github.com/hibernate/hibernate-validator/commit/20d729548511ac5cff6fd459f93de137195420fe
secalert@redhat.comhttps://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-10219
secalert@redhat.comhttps://github.com/poc-effectiveness/PoCAdaptation/tree/main/Origin/CVE-2019-10219/exploit
secalert@redhat.comhttps://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E
secalert@redhat.comhttps://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba09114897d%40%3Cnotifications.accumulo.apache.org%3E
secalert@redhat.comhttps://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf%40%3Cnotifications.accumulo.apache.org%3E
secalert@redhat.comhttps://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E
secalert@redhat.comhttps://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E
secalert@redhat.comhttps://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20220210-0024/Third Party Advisory
secalert@redhat.comhttps://www.oracle.com/security-alerts/cpujan2022.htmlThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0159Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0160Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0161Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0164Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0445Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee
af854a3a-2127-422b-91ae-364da2661108https://github.com/hibernate/hibernate-validator/commit/20d729548511ac5cff6fd459f93de137195420fe
af854a3a-2127-422b-91ae-364da2661108https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-10219
af854a3a-2127-422b-91ae-364da2661108https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Origin/CVE-2019-10219/exploit
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba09114897d%40%3Cnotifications.accumulo.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf%40%3Cnotifications.accumulo.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20220210-0024/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpujan2022.htmlThird Party Advisory
Impacted products
Vendor Product Version
redhat hibernate_validator *
redhat hibernate_validator 6.1.0
redhat hibernate_validator 6.1.0
redhat hibernate_validator 6.1.0
redhat hibernate_validator 6.1.0
redhat hibernate_validator 6.1.0
redhat hibernate_validator 6.1.0
redhat fuse 1.0
redhat jboss_data_grid -
redhat jboss_enterprise_application_platform -
redhat openshift_application_runtimes -
redhat single_sign-on -
redhat jboss_enterprise_application_platform 7.2
redhat jboss_enterprise_application_platform 7.3
redhat enterprise_linux 6.0
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp management_services_for_element_software_and_netapp_hci -
netapp snapcenter_plug-in -
netapp element -
oracle access_manager 11.1.2.3.0
oracle access_manager 12.2.1.3.0
oracle access_manager 12.2.1.4.0
oracle agile_engineering_data_management 6.2.1.0
oracle agile_plm 9.3.3
oracle agile_plm 9.3.6
oracle agile_product_lifecycle_analytics 3.6.1
oracle agile_product_lifecycle_management_integration_pack 3.6
oracle airlines_data_model 12.1.1.0.0
oracle airlines_data_model 12.2.0.1.0
oracle application_express 21.1.4
oracle application_performance_management 13.4.1.0
oracle application_performance_management 13.5.1.0
oracle application_testing_suite 13.3.0.1
oracle argus_analytics 8.2.1
oracle argus_analytics 8.2.2
oracle argus_analytics 8.2.3
oracle argus_analytics 8.21
oracle argus_insight 8.2.1
oracle argus_insight 8.2.2
oracle argus_insight 8.2.3
oracle argus_safety 8.2.1
oracle argus_safety 8.2.2
oracle argus_safety 8.2.3
oracle banking_apis 18.1
oracle banking_apis 18.2
oracle banking_apis 18.3
oracle banking_apis 19.1
oracle banking_apis 19.2
oracle banking_apis 20.1
oracle banking_apis 21.1
oracle banking_deposits_and_lines_of_credit_servicing 2.12.0
oracle banking_digital_experience 17.2
oracle banking_digital_experience 18.1
oracle banking_digital_experience 18.3
oracle banking_digital_experience 19.1
oracle banking_digital_experience 19.2
oracle banking_digital_experience 20.1
oracle banking_digital_experience 21.1
oracle banking_enterprise_default_management 2.6.2
oracle banking_enterprise_default_management 2.7.0
oracle banking_enterprise_default_management 2.7.1
oracle banking_enterprise_default_management 2.10.0
oracle banking_enterprise_default_management 2.12.0
oracle banking_enterprise_default_managment *
oracle banking_loans_servicing 2.12.0
oracle banking_party_management 2.7.0
oracle banking_platform *
oracle banking_platform 2.6.2
oracle banking_platform 2.7.0
oracle banking_platform 2.7.1
oracle bi_publisher 5.5.0.0.0
oracle bi_publisher 11.1.1.9.0
oracle bi_publisher 12.2.1.3.0
oracle bi_publisher 12.2.1.4.0
oracle big_data_spatial_and_graph 23.1
oracle business_activity_monitoring 12.2.1.4.0
oracle business_intelligence 5.5.0.0.0
oracle business_intelligence 5.9.0.0.0
oracle business_intelligence 12.2.1.3.0
oracle business_intelligence 12.2.1.4.0
oracle business_process_management_suite 12.2.1.3.0
oracle business_process_management_suite 12.2.1.4.0
oracle clinical 5.2.1
oracle clinical 5.2.2
oracle commerce_guided_search 11.3.2
oracle commerce_platform *
oracle communications_application_session_controller 3.9.0
oracle communications_billing_and_revenue_management 12.0.0.3
oracle communications_billing_and_revenue_management 12.0.0.4
oracle communications_billing_and_revenue_management_elastic_charging_engine 11.3
oracle communications_billing_and_revenue_management_elastic_charging_engine 12.0
oracle communications_calendar_server 8.0.0.5.0
oracle communications_calendar_server 8.0.0.6.0
oracle communications_cloud_native_core_automated_test_suite 1.8.0
oracle communications_cloud_native_core_binding_support_function 1.9.0
oracle communications_cloud_native_core_binding_support_function 1.10.0
oracle communications_cloud_native_core_console 1.7.0
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.9.0
oracle communications_cloud_native_core_network_repository_function 1.14.0
oracle communications_cloud_native_core_policy 1.14.0
oracle communications_cloud_native_core_security_edge_protection_proxy 1.5.0
oracle communications_cloud_native_core_security_edge_protection_proxy 1.6.0
oracle communications_cloud_native_core_security_edge_protection_proxy 1.15.0
oracle communications_cloud_native_core_service_communication_proxy 1.14.0
oracle communications_cloud_native_core_unified_data_repository 1.14.0
oracle communications_contacts_server 8.0.0.3.0
oracle communications_converged_application_server_-_service_controller 6.2
oracle communications_convergence 3.0.2.2.0
oracle communications_convergent_charging_controller *
oracle communications_convergent_charging_controller 6.0.1.0.0
oracle communications_data_model 11.3.2.1.0
oracle communications_data_model 11.3.2.2.0
oracle communications_data_model 11.3.2.3.0
oracle communications_data_model 12.1.0.1.0
oracle communications_data_model 12.1.2.0.0
oracle communications_design_studio 7.3.4
oracle communications_design_studio 7.3.5
oracle communications_design_studio 7.4.0
oracle communications_design_studio 7.4.1
oracle communications_design_studio 7.4.2
oracle communications_diameter_signaling_route *
oracle communications_eagle_application_processor *
oracle communications_instant_messaging_server 10.0.1.5.0
oracle communications_interactive_session_recorder 6.3
oracle communications_interactive_session_recorder 6.4
oracle communications_messaging_server 8.1
oracle communications_metasolv_solution 6.3.1
oracle communications_network_charging_and_control *
oracle communications_network_charging_and_control 6.0.1.0.0
oracle communications_network_integrity 7.3.5
oracle communications_network_integrity 7.3.6
oracle communications_offline_mediation_controller 12.0.0.3
oracle communications_operations_monitor 3.4
oracle communications_operations_monitor 4.2
oracle communications_operations_monitor 4.3
oracle communications_operations_monitor 4.4
oracle communications_operations_monitor 5.0
oracle communications_pricing_design_center 12.0.0.3.0
oracle communications_pricing_design_center 12.0.0.4.0
oracle communications_service_broker 6.2
oracle communications_services_gatekeeper 7.0
oracle communications_session_border_controller 8.2
oracle communications_session_border_controller 8.3
oracle communications_session_border_controller 8.4
oracle communications_session_border_controller 9.0
oracle communications_unified_inventory_management 7.3.0
oracle communications_unified_inventory_management 7.3.4
oracle communications_unified_inventory_management 7.3.5
oracle communications_unified_inventory_management 7.4.0
oracle communications_unified_inventory_management 7.4.1
oracle communications_unified_inventory_management 7.4.2
oracle communications_unified_inventory_management 7.5.0
oracle communications_webrtc_session_controller 7.2.0
oracle communications_webrtc_session_controller 7.2.1
oracle data_integrator 12.2.1.3.0
oracle data_integrator 12.2.1.4.0
oracle database_server 12.1.0.1
oracle database_server 12.1.0.2
oracle database_server 19c
oracle database_server 21c
oracle demantra_demand_management *
oracle documaker *
oracle e-business_suite *
oracle enterprise_communications_broker 3.3
oracle enterprise_data_quality 12.2.1.3.0
oracle enterprise_data_quality 12.2.1.4.0
oracle enterprise_manager_base_platform 13.4.0.0
oracle enterprise_manager_base_platform 13.5.0.0
oracle enterprise_manager_ops_center 12.4.0.0
oracle enterprise_session_border_controller 8.4
oracle enterprise_session_border_controller 9.0
oracle essbase *
oracle essbase *
oracle essbase 11.1.2.4.47
oracle essbase_administration_services *
oracle essbase_administration_services 11.1.2.4.47
oracle financial_services_analytical_applications_infrastructure *
oracle financial_services_analytical_applications_infrastructure 7.3.3
oracle financial_services_behavior_detection_platform 8.0.7
oracle financial_services_behavior_detection_platform 8.0.8
oracle financial_services_behavior_detection_platform 8.0.11
oracle financial_services_enterprise_case_management 8.0.7
oracle financial_services_enterprise_case_management 8.0.8
oracle financial_services_enterprise_case_management 8.0.11
oracle financial_services_foreign_account_tax_compliance_act_management 8.0.7
oracle financial_services_foreign_account_tax_compliance_act_management 8.0.8
oracle financial_services_foreign_account_tax_compliance_act_management 8.0.11
oracle financial_services_model_management_and_governance *
oracle financial_services_trade-based_anti_money_laundering 8.0.7
oracle financial_services_trade-based_anti_money_laundering 8.0.8
oracle flexcube_investor_servicing 12.0.4
oracle flexcube_investor_servicing 12.1.0
oracle flexcube_investor_servicing 12.3.0
oracle flexcube_investor_servicing 12.4.0
oracle flexcube_investor_servicing 14.4.0
oracle flexcube_investor_servicing 14.5.0
oracle flexcube_private_banking 12.0.0
oracle flexcube_private_banking 12.1.0
oracle fusion_middleware 12.2.1.3.0
oracle fusion_middleware 12.2.1.4.0
oracle fusion_middleware_mapviewer 12.2.1.4.0
oracle goldengate *
oracle goldengate *
oracle goldengate *
oracle goldengate_application_adapters 19.1.0.0.0
oracle graalvm 20.3.4
oracle graalvm 21.3.0
oracle graph_server_and_client *
oracle health_sciences_clinical_development_analytics 4.0.1
oracle health_sciences_inform_crf_submit 6.2.1
oracle health_sciences_information_manager 3.0.2
oracle health_sciences_information_manager 3.0.3
oracle healthcare_data_repository 7.0.2
oracle healthcare_data_repository 8.1.0
oracle healthcare_data_repository 8.1.1
oracle healthcare_foundation *
oracle healthcare_foundation *
oracle healthcare_foundation 8.1.0
oracle healthcare_foundation 8.1.1
oracle healthcare_translational_research 4.1.0
oracle hospitality_cruise_shipboard_property_management_system 20.1.0
oracle hospitality_opera_5_property_services 5.6
oracle hospitality_reporting_and_analytics 9.1.0
oracle hospitality_suite8 8.10.2
oracle hospitality_suite8 8.11.0
oracle hospitality_suite8 8.12.0
oracle hospitality_suite8 8.13.0
oracle hospitality_suite8 8.14.0
oracle http_server 12.2.1.3.0
oracle http_server 12.2.1.4.0
oracle hyperion_financial_management 11.1.2.4
oracle hyperion_financial_management 11.2.6.0
oracle hyperion_ilearning 6.2
oracle hyperion_ilearning 6.3
oracle hyperion_infrastructure_technology 11.2.7.0
oracle instantis_enterprisetrack 17.1
oracle instantis_enterprisetrack 17.2
oracle instantis_enterprisetrack 17.3
oracle insurance_data_gateway 11.0.2
oracle insurance_data_gateway 11.1.0
oracle insurance_data_gateway 11.2.7
oracle insurance_data_gateway 11.3.0
oracle insurance_data_gateway 11.3.1
oracle insurance_insbridge_rating_and_underwriting *
oracle insurance_insbridge_rating_and_underwriting 5.2.0
oracle insurance_policy_administration 11.0.2
oracle insurance_policy_administration 11.1.0
oracle insurance_policy_administration 11.2.7
oracle insurance_policy_administration 11.3.0
oracle insurance_policy_administration 11.3.1
oracle insurance_policy_administration_j2ee *
oracle insurance_policy_administration_j2ee 10.2.0
oracle insurance_policy_administration_j2ee 10.2.4
oracle insurance_policy_administration_j2ee 11.0.2
oracle insurance_rules_palette *
oracle insurance_rules_palette 10.2.0
oracle insurance_rules_palette 10.2.4
oracle insurance_rules_palette 11.0.2
oracle insurance_rules_palette 11.3.1
oracle java_se 7u321
oracle java_se 8u311
oracle java_se 17.1
oracle jd_edwards_enterpriseone_orchestrator *
oracle jdk 11.0.13
oracle managed_file_transfer 12.2.1.3.0
oracle managed_file_transfer 12.2.1.4.0
oracle mysql_cluster *
oracle mysql_cluster *
oracle mysql_cluster *
oracle mysql_cluster *
oracle mysql_connectors *
oracle mysql_connectors 8.0.27
oracle mysql_server *
oracle mysql_server *
oracle mysql_server 5.7.36
oracle mysql_workbench *
oracle nosql_database *
oracle oss_support_tools *
oracle peoplesoft_enterprise_cs_sa_integration_pack 9.0
oracle peoplesoft_enterprise_cs_sa_integration_pack 9.2
oracle peoplesoft_enterprise_people_tools 8.57
oracle peoplesoft_enterprise_people_tools 8.58
oracle peoplesoft_enterprise_people_tools 8.59
oracle peoplesoft_enterprise_peopletools 8.57
oracle peoplesoft_enterprise_peopletools 8.58
oracle policy_automation *
oracle policy_automation 10.4.7
oracle primavera_analytics 18.8.3.3
oracle primavera_analytics 19.12.11.1
oracle primavera_analytics 20.12.12.0
oracle primavera_data_warehouse 18.8.3.3
oracle primavera_data_warehouse 19.12.11.1
oracle primavera_data_warehouse 20.12.12.0
oracle primavera_gateway *
oracle primavera_gateway *
oracle primavera_gateway *
oracle primavera_gateway *
oracle primavera_gateway 21.12.0
oracle primavera_p6_enterprise_project_portfolio_management *
oracle primavera_p6_enterprise_project_portfolio_management *
oracle primavera_p6_enterprise_project_portfolio_management *
oracle primavera_p6_enterprise_project_portfolio_management *
oracle primavera_p6_enterprise_project_portfolio_management 21.12.0.0
oracle primavera_p6_professional_project_management *
oracle primavera_p6_professional_project_management *
oracle primavera_p6_professional_project_management *
oracle primavera_p6_professional_project_management *
oracle primavera_portfolio_management *
oracle primavera_portfolio_management *
oracle primavera_portfolio_management 20.0.0.0
oracle primavera_portfolio_management 20.0.0.1
oracle primavera_unifier *
oracle primavera_unifier 18.8
oracle primavera_unifier 19.12
oracle primavera_unifier 20.12
oracle primavera_unifier 21.12
oracle rapid_planning *
oracle real-time_decision_server 3.2.0.0
oracle real_user_experience_insight 13.4.1.0
oracle real_user_experience_insight 13.5.1.0
oracle rest_data_services 21.2.4
oracle retail_allocation 14.1.3.2
oracle retail_allocation 15.0.3.1
oracle retail_allocation 16.0.3
oracle retail_allocation 19.0.1
oracle retail_analytics *
oracle retail_assortment_planning 16.0.3
oracle retail_back_office 14.1
oracle retail_central_office 14.1
oracle retail_customer_insights *
oracle retail_customer_management_and_segmentation_foundation *
oracle retail_eftlink 16.0.3
oracle retail_eftlink 17.0.2
oracle retail_eftlink 18.0.1
oracle retail_eftlink 19.0.1
oracle retail_eftlink 20.0.1
oracle retail_extract_transform_and_load 13.2.8
oracle retail_financial_integration 14.1.3.2
oracle retail_financial_integration 15.0.3.1
oracle retail_financial_integration 16.0.3
oracle retail_financial_integration 19.0.1
oracle retail_fiscal_management 14.2
oracle retail_integration_bus *
oracle retail_integration_bus 13.0
oracle retail_integration_bus 14.1.3.0
oracle retail_integration_bus 14.1.3.2
oracle retail_integration_bus 15.0.3.1
oracle retail_integration_bus 19.0.0
oracle retail_integration_bus 19.0.1
oracle retail_invoice_matching 15.0.3
oracle retail_invoice_matching 16.0.3
oracle retail_merchandising_system 19.0.1
oracle retail_order_broker 16.0
oracle retail_order_broker 18.0
oracle retail_order_broker 19.1
oracle retail_order_management_system 19.5
oracle retail_point-of-sale 14.1
oracle retail_predictive_application_server 14.1.3
oracle retail_predictive_application_server 14.1.3.46
oracle retail_predictive_application_server 15.0.3
oracle retail_predictive_application_server 15.0.3.115
oracle retail_predictive_application_server 16.0.3
oracle retail_predictive_application_server 16.0.3.240
oracle retail_price_management 13.2
oracle retail_price_management 14.0.4
oracle retail_price_management 14.1
oracle retail_price_management 14.1.3
oracle retail_price_management 15.0
oracle retail_price_management 15.0.3
oracle retail_price_management 16.0
oracle retail_price_management 16.0.3
oracle retail_returns_management 14.1
oracle retail_service_backbone *
oracle retail_service_backbone 14.1.3.0
oracle retail_service_backbone 14.1.3.2
oracle retail_service_backbone 15.0.3.1
oracle retail_service_backbone 19.0.0
oracle retail_service_backbone 19.0.1
oracle retail_size_profile_optimization 16.0.3
oracle retail_xstore_point_of_service 17.0.4
oracle retail_xstore_point_of_service 18.0.3
oracle retail_xstore_point_of_service 19.0.2
oracle retail_xstore_point_of_service 20.0.1
oracle sd-wan_aware 8.2
oracle sd-wan_edge 9.0
oracle sd-wan_edge 9.1
oracle secure_backup 18.1.0.1.0
oracle siebel_applications *
oracle spatial_studio 21.2.1
oracle thesaurus_management_system 5.2.3
oracle thesaurus_management_system 5.3.0
oracle thesaurus_management_system 5.3.1
oracle timesten_in-memory_database *
oracle timesten_in-memory_database *
oracle utilities_framework *
oracle utilities_framework 4.2.0.2.0
oracle utilities_framework 4.2.0.3.0
oracle utilities_framework 4.4.0.0.0
oracle utilities_framework 4.4.0.2.0
oracle utilities_framework 4.4.0.3.0
oracle utilities_testing_accelerator 6.0.0.1.1
oracle utilities_testing_accelerator 6.0.0.2.2
oracle utilities_testing_accelerator 6.0.0.3.1
oracle vm_virtualbox *
oracle webcenter_portal 12.2.1.3.0
oracle webcenter_portal 12.2.1.4.0
oracle weblogic_server 12.1.3.0.0
oracle weblogic_server 12.2.1.3.0
oracle weblogic_server 12.2.1.4.0
oracle weblogic_server 14.1.1.0.0
oracle zfs_storage_appliance_kit 8.8
oracle zfs_storage_application_integration_engineering_software 1.3.3
oracle communications_messaging_server 8.1
oracle solaris 10
oracle solaris 11
oracle fujitsu_m10-1_firmware -
oracle fujitsu_m10-1 -
oracle fujitsu_m10-4_firmware -
oracle fujitsu_m10-4 -
oracle fujitsu_m10-4s_firmware -
oracle fujitsu_m10-4s -
oracle fujitsu_m12-1_firmware -
oracle fujitsu_m12-1 -
oracle fujitsu_m12-2_firmware -
oracle fujitsu_m12-2 -
oracle fujitsu_m12-2s_firmware -
oracle fujitsu_m12-2s -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:hibernate_validator:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "552F082C-38E5-49A9-A451-71B6ECAF21B2",
              "versionEndExcluding": "6.0.18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:hibernate_validator:6.1.0:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "A82A1C19-F8AE-4DA9-891D-247F07D57605",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:hibernate_validator:6.1.0:alpha2:*:*:*:*:*:*",
              "matchCriteriaId": "E38B943A-B167-4EAD-9308-47FF525BE57A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:hibernate_validator:6.1.0:alpha3:*:*:*:*:*:*",
              "matchCriteriaId": "6766965C-2991-4559-975B-9E864DF8F10D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:hibernate_validator:6.1.0:alpha4:*:*:*:*:*:*",
              "matchCriteriaId": "E6CD7403-23C7-488F-84EC-1F0C675E87D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:hibernate_validator:6.1.0:alpha5:*:*:*:*:*:*",
              "matchCriteriaId": "A0033893-4CA9-41F4-8FF0-3BE20F5BE1C4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:hibernate_validator:6.1.0:alpha6:*:*:*:*:*:*",
              "matchCriteriaId": "EEB7C69E-FA13-43AB-89AD-FE1E4687E02A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "077732DB-F5F3-4E9C-9AC0-8142AB85B32F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "2BF03A52-4068-47EA-8846-1E5FB708CE1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "ADB40F59-CAAE-47D6-850C-12619D8D5B34",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
              "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
              "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
              "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "FDAC85F0-93AF-4BE3-AE1A-8ADAF1CDF9AB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:snapcenter_plug-in:-:*:*:*:*:vmware_vsphere:*:*",
              "matchCriteriaId": "DC01D8F3-291A-44E5-99C1-6771F6656E0E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:netapp:element:-:*:*:*:*:vcenter_server:*:*",
              "matchCriteriaId": "5E1DE4F5-9094-4C73-AA1B-5C902F38DD24",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:access_manager:11.1.2.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8DEAFEDC-2D0F-4A5F-99A0-BD41DD6DC017",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:access_manager:12.2.1.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A287FA5D-D7D9-40B4-8DB2-1D7CE1808408",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:access_manager:12.2.1.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "20EB3430-0FF2-4668-BB20-A5611ACC73F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "80C9DBB8-3D50-4D5D-859A-B022EB7C2E64",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "D14ABF04-E460-4911-9C6C-B7BCEFE68E9D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:agile_product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "432BFCF5-A5DC-487C-A111-DE70AB3FCDAC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.6:*:*:*:*:e-business_suite:*:*",
              "matchCriteriaId": "5B62CB3B-FDDF-4AFF-A47E-6ADE6504D451",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:airlines_data_model:12.1.1.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "06480458-3216-4C42-9270-F68A41EEC147",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:airlines_data_model:12.2.0.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "480BF1CB-11D7-4D86-A99E-960F316F2E1B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:application_express:21.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "BB124AD9-8000-449B-8219-0FF011F86B03",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:application_performance_management:13.4.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F84E5662-0289-4ED5-A112-BC506508216C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:application_performance_management:13.5.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "AD312681-73A4-4B21-BDE8-50DED7E3E0CF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A125E817-F974-4509-872C-B71933F42AD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:argus_analytics:8.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "BC3D0C4E-0B40-4ACF-BD9E-104CC1D77521",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:argus_analytics:8.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "E67940FD-3BA7-40A8-8E40-44B37D23E2DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:argus_analytics:8.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "EE6EB4DE-33DA-4810-96BD-29C82B433714",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:argus_analytics:8.21:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C446826-EF5B-4937-ADB4-1102F9F39304",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:argus_insight:8.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F7FCB446-49A7-48B9-8808-E72A4E2E48C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:argus_insight:8.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E9B2F53-257E-49E2-83C3-0840BDB4D67C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:argus_insight:8.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "6CF34B1B-0FC0-4EA6-830D-D2191337D451",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:argus_safety:8.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "09B79608-5D94-45C3-ADF0-B181B92C3014",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:argus_safety:8.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "9F05D844-38BD-4EEB-AF91-E5ED18B1E7E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:argus_safety:8.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "25193811-46CE-4A0E-B22D-67BE99FAD450",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_apis:18.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "869D51B3-FB50-4BD6-8A0C-D0984267525F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_apis:18.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "08B8F413-2000-493B-82B1-BEFE343BB8C4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_apis:18.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "042269E6-D3B4-4867-86FA-9301FACA9FF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "CF34B11F-3DE1-4C22-8EB1-AEE5CE5E4172",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "86F03B63-F922-45CD-A7D1-326DB0042875",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "7CBFC93F-8B39-45A2-981C-59B187169BD4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "0843465C-F940-4FFC-998D-9A2668B75EA0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_deposits_and_lines_of_credit_servicing:2.12.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1F834ACC-D65B-4CA3-91F1-415CBC6077E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_digital_experience:17.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "560F20E6-AEA1-4CE5-A393-C9B2CF334C5C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "BBE7BF09-B89C-4590-821E-6C0587E096B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E7231D2D-4092-44F3-B60A-D7C9ED78AFDF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F7BDFC10-45A0-46D8-AB92-4A5E2C1C76ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "18127694-109C-4E7E-AE79-0BA351849291",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "33F68878-BC19-4DB8-8A72-BD9FE3D0ACEC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "0D6895A6-511A-4DC6-9F9B-58E05B86BDB1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_enterprise_default_management:2.6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "E60C0966-BF0D-4D18-B09B-5D0BB96DBFF3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E0FCD3BC-33D8-49D1-844B-6B9DE0CA4997",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "473749BD-267E-480F-8E7F-C762702DB66E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "74C7E2F1-17FC-4322-A5C3-F7EB612BA4F5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "320D36DA-D99F-4149-B582-3F4AB2F41A1B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_enterprise_default_managment:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "05E4EB25-7B7A-4A10-A535-8C7CA4D6FEB6",
              "versionEndIncluding": "2.4.0",
              "versionStartIncluding": "2.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_loans_servicing:2.12.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5E502A46-BAF4-4558-BC8F-9F014A2FB26A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C542DC5E-6657-4178-9C69-46FD3C187D56",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6D0F559E-0790-461B-ACED-5B00F4D40893",
              "versionEndIncluding": "2.4.1",
              "versionStartIncluding": "2.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "132CE62A-FBFC-4001-81EC-35D81F73AF48",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "282150FF-C945-4A3E-8A80-E8757A8907EA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "645AA3D1-C8B5-4CD2-8ACE-31541FA267F0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5CD806C1-CC17-47BD-8BB0-9430C4253BC7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:bi_publisher:11.1.1.9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C83DA9A0-2EBC-4298-8412-1A7C4DC88C2B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9DC56004-4497-4CDD-AE76-5E3DFAE170F0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "274A0CF5-41E8-42E0-9931-F7372A65B9C4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "BEF828F5-C666-40DA-98DD-CDF658D7090B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "BA8461A2-428C-4817-92A9-0C671545698D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "D40AD626-B23A-44A3-A6C0-1FFB4D647AE4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "B602F9E8-1580-436C-A26D-6E6F8121A583",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "77C3DD16-1D81-40E1-B312-50FBD275507C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "81DAC8C0-D342-44B5-9432-6B88D389584F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E869C417-C0E6-4FC3-B406-45598A1D1906",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DFEFE2C0-7B98-44F9-B3AD-D6EC607E90DA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:clinical:5.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "4B2CEA84-0983-4C40-B923-99244ABCF32D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:clinical:5.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "2FD798A8-38B7-42C1-9043-863D16CE7ACA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "2A3622F5-5976-4BBC-A147-FC8A6431EA79",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:commerce_platform:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F012E976-E219-46C2-8177-60ED859594BE",
              "versionEndIncluding": "11.3.2",
              "versionStartIncluding": "11.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_application_session_controller:3.9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "787E2C1B-9BAD-4018-8495-E9BE75628BB8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0111372-B39F-4B3D-8136-44C2C1CFD12B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "B465F237-0271-4389-8035-89C07A52350D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "5A9E4125-B744-4A9D-BFE6-5D82939958FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "261212BD-125A-487F-97E8-A9587935DFE8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_calendar_server:8.0.0.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4063FAD6-21D4-42C7-87C0-D299532E0982",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_calendar_server:8.0.0.6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F6E8A8C3-253A-4BDD-9AD2-4445DC387B4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "98FB24DB-AF91-48D0-9CA5-C8250D183FD5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "868E7C46-7E45-4CFA-8A25-7CBFED912096",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B6B6FE82-7BFA-481D-99D6-789B146CA18B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "BC12B43F-30F6-4B05-AB3A-E91D8404D5A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5D423B62-8EFE-4EFD-A986-5F5ECE5B892F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.14.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8E463039-5E48-4AA0-A42B-081053FA0111",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4479F76A-4B67-41CC-98C7-C76B81050F8E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DAEB09CA-9352-43CD-AF66-92BE416E039C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "45E5C9B0-AB25-4744-88E4-FD0C4A853001",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.15.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A442DA9E-FF9A-4C51-9D3E-68D09C8BB472",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0AB059F2-FEC4-4180-8A90-39965495055E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.14.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5A276784-877B-4A29-A8F1-70518A438A9A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_contacts_server:8.0.0.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "59275C23-53C0-4890-A941-A71226B50CFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0535B116-57D6-4448-86A2-09BCE50894B8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_convergence:3.0.2.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7DF939F5-C0E1-40A4-95A2-0CE7A03AB4EE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_convergent_charging_controller:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0172500D-DE51-44E0-91E8-C8F36617C1F8",
              "versionEndIncluding": "12.0.4.0.0",
              "versionStartIncluding": "12.0.1.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_convergent_charging_controller:6.0.1.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E99E7D49-AE53-4D16-AB24-EBEAAD084289",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_data_model:11.3.2.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "69C215AB-25B4-47A6-AD6A-A60D2C0FF72F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_data_model:11.3.2.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8E77E48F-1521-4C89-A5D0-A7F0A8D21AD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_data_model:11.3.2.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F88A2F3-E201-4C68-8D11-0A5C76CDB071",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_data_model:12.1.0.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "CBD877F8-E6EF-4314-AAC0-36F81F4908DF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_data_model:12.1.2.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3D7356B6-E197-4978-BF18-2CFD4D350A76",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_design_studio:7.3.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "93BE4838-1144-4A6A-ABDB-F2766E64C91C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_design_studio:7.3.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "1B54457C-8305-4F82-BE1E-DBA030A8E676",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_design_studio:7.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C756C62B-E655-4770-8E85-B1995889E416",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_design_studio:7.4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "93F65B4C-59D5-450A-9955-7FDA32252B0F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_design_studio:7.4.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "A67AA54B-258D-4D09-9ACB-4085E0B3E585",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_route:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A6BD600E-F3E9-40CE-9414-1D4506ACC1D8",
              "versionEndIncluding": "8.5.1.0",
              "versionStartIncluding": "8.0.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "95A3E946-BBD5-4BCB-B864-FB3BF5DE56D0",
              "versionEndIncluding": "16.4",
              "versionStartIncluding": "16.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C4A94B36-479F-48F2-9B9E-ACEA2589EF48",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "46E23F2E-6733-45AF-9BD9-1A600BD278C8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "E812639B-EE28-4C68-9F6F-70C8BF981C86",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "E1214FDF-357A-4BB9-BADE-50FB2BD16D10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_metasolv_solution:6.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "64BCB9E3-883D-4C1F-9785-2E182BA47B5B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_network_charging_and_control:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "26940103-F37C-4FBD-BDFD-528A497209D6",
              "versionEndIncluding": "12.0.4.0.0",
              "versionStartIncluding": "12.0.1.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "EB9047B1-DA8C-4BFD-BE41-728BD7ECF3E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_network_integrity:7.3.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "FB92D8A7-2ABD-4B70-A32C-4B6B866C5B8B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "B21E6EEF-2AB7-4E96-B092-1F49D11B4175",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "A23B00C1-878A-4B55-B87B-EFFFA6A5E622",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "D52F557F-D0A0-43D3-85F1-F10B6EBFAEDF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_operations_monitor:4.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "F545DFC9-F331-4E1D-BACB-3D26873E5858",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "CBE1A019-7BB6-4226-8AC4-9D6927ADAEFA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "B98BAEB2-A540-4E8A-A946-C4331B913AFD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B8FBE260-E306-4215-80C0-D2D27CA43E0F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D7B49D71-6A31-497A-B6A9-06E84F086E7A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A28F42F0-FBDA-4574-AD30-7A04F27FEA3E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_service_broker:6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "E6235EAE-47DD-4292-9941-6FF8D0A83843",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "062E4E7C-55BB-46F3-8B61-5A663B565891",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_session_border_controller:8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "2B9F6415-2950-49FE-9CAF-8BCA4DB6DF4B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_session_border_controller:8.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "C05190B9-237F-4E2E-91EA-DB1B738864AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "9C416FD3-2E2F-4BBC-BD5F-F896825883F4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D886339E-EDB2-4879-BD54-1800E4CA9CAE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "05AD47CC-8A6D-4AEC-B23E-701D3D649CC6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "0D299528-8EF0-49AF-9BDE-4B6C6B1DA36C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "17A91FD9-9F77-42D3-A4D9-48BC7568ADE1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "539DA24F-E3E0-4455-84C6-A9D96CD601B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A7637F8B-15F1-42E2-BE18-E1FF7C66587D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "E43D793A-7756-4D58-A8ED-72DC4EC9CEA7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_unified_inventory_management:7.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0EBC7EB1-FD72-4BFC-92CC-7C8B8E462D7C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6814B606-D054-433C-A46E-0F6E338E1C46",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "1F05AF4B-A747-4314-95AE-F8495479AB3E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9901F6BA-78D5-45B8-9409-07FF1C6DDD38",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9FADE563-5AAA-42FF-B43F-35B20A2386C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:database_server:12.1.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "5A7D10EB-D98F-4B80-AB9F-D8A9FC813E1C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:database_server:12.1.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "4F3D40B7-925C-413D-AFF3-60BF330D5BC2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:database_server:19c:*:*:*:*:*:*:*",
              "matchCriteriaId": "B2204841-585F-40C7-A1D9-C34E612808CA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:database_server:21c:*:*:*:*:*:*:*",
              "matchCriteriaId": "BDB96A21-161F-42A9-9402-FABEC9C0C15A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:demantra_demand_management:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "132DE874-6E47-452A-9FDD-27D5A41F046E",
              "versionEndIncluding": "12.2.11",
              "versionStartIncluding": "12.2.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "135D531C-A692-4BE3-AB8C-37BB0D35559A",
              "versionEndIncluding": "12.6.4",
              "versionStartIncluding": "12.6.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:e-business_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7E6DF81E-E392-49E5-ADF4-510A3737A5CE",
              "versionEndIncluding": "12.2.11",
              "versionStartIncluding": "12.2.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:enterprise_communications_broker:3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "4BE83BC6-5A6F-40A1-AAC7-314A575D8E07",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "36CF85A9-2C29-46E7-961E-8ADD0B5822CF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E80555C7-DA1C-472C-9467-19554DCE4476",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D26F3E23-F1A9-45E7-9E5F-0C0A24EE3783",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6E8758C8-87D3-450A-878B-86CE8C9FC140",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B095CC03-7077-4A58-AB25-CC5380CDCE5A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "7015A8CB-8FA6-423E-8307-BD903244F517",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:enterprise_session_border_controller:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F9A4E206-56C7-4578-AC9C-088B0C8D9CFE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C78A7E07-AB08-46C5-942D-B40BBE0C0D06",
              "versionEndExcluding": "11.1.2.4.47",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3197F464-F0A5-4BD4-9068-65CD448D8F4C",
              "versionEndExcluding": "21.3",
              "versionStartIncluding": "21.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:essbase:11.1.2.4.47:*:*:*:*:*:*:*",
              "matchCriteriaId": "809FD6D6-D05D-4387-A725-F707015DEFBB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:essbase_administration_services:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A093A76C-4B2C-4FAD-BFDF-09862F831102",
              "versionEndExcluding": "11.1.2.4.47",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:essbase_administration_services:11.1.2.4.47:*:*:*:*:*:*:*",
              "matchCriteriaId": "1A1277A9-C49C-4840-A118-986C10A07657",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7EA4D3C5-6A7C-4421-88EF-445A96DBCE0C",
              "versionEndIncluding": "8.1.1",
              "versionStartIncluding": "8.0.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:7.3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "03B9F810-EF80-4551-BA6D-027B0B2A787D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "47B0A947-E4C8-4C04-AD3B-950E59DF7A0E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "1AC36036-07CE-4903-8FFB-445C6908F0CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "435FDFA1-BF6A-499D-BDB6-88A26648DFD5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB3F3F63-9543-4568-BCB1-1CAF88384142",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "FC0C4CA4-1694-474E-8272-CF96E168D962",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "93E953D0-9C0C-4B03-9939-384A1F7E2BC9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:financial_services_foreign_account_tax_compliance_act_management:8.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "767CC73D-2771-4BBC-9D74-4416AEC6BB2E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:financial_services_foreign_account_tax_compliance_act_management:8.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "D33B68C6-2A4E-418C-A2BD-43A3CC5D1003",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:financial_services_foreign_account_tax_compliance_act_management:8.0.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "DAE3EA23-045D-474C-ABD8-916930D4E9E7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:financial_services_model_management_and_governance:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0E8FD060-E9A8-499C-87B0-AF7BBED7771F",
              "versionEndIncluding": "8.1.1",
              "versionStartIncluding": "8.0.8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.7:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "B57ECC6E-CC64-4DE7-B657-3BA54EDDFFF4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.8:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "10BBAD37-51A1-4819-807B-2642E9D4A69C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:12.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0A34DF8-72CC-4A8E-84F2-C2DF4A0B9FAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "21BE77B2-6368-470E-B9E6-21664D9A818A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3250073F-325A-4AFC-892F-F2005E3854A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0DDDC9C2-33D6-4123-9ABC-C9B809A6E88E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:14.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "524429D6-8AF1-4713-A9B8-678B50A3762F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:14.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "ED21B958-0FD0-4697-9CE2-266DEE4E29DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6762F207-93C7-4363-B2F9-7A7C6F8AF993",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1B74B912-152D-4F38-9FC1-741D6D0B27FC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:fusion_middleware:12.2.1.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2177A5E9-B260-499E-8D60-920679518425",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6329B1A2-75A8-4909-B4FB-77AC7232B6ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA86EF7E-6162-4244-9C88-7AF5CAB787E0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:goldengate:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DE5EA810-3110-4343-9054-0FCFCD608C25",
              "versionEndExcluding": "12.3.0.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:goldengate:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "78A48EA9-1CAB-4DD2-9DAD-0213F6EFC48C",
              "versionEndExcluding": "19.1.0.0.220118",
              "versionStartIncluding": "19.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:goldengate:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "71050E24-6915-4B5E-98ED-AFAA6C2FF38B",
              "versionEndExcluding": "21.5.0.0.220118",
              "versionStartIncluding": "21.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:goldengate_application_adapters:19.1.0.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E7BE0590-31BD-4FCD-B50E-A5F86196F99E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:graalvm:20.3.4:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "9F300E13-1B40-4B35-ACA5-4D402CD41055",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:graalvm:21.3.0:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "B10E38A6-783C-45A2-98A1-12FA1EB3D3AA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:graph_server_and_client:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "29312DB7-AFD2-459E-A166-95437ABED12C",
              "versionEndExcluding": "21.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:health_sciences_clinical_development_analytics:4.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "4E45ADE3-2A3D-4FCA-BCDF-D0CC6CE0A23C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:health_sciences_inform_crf_submit:6.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB8797ED-52E7-47B6-9F78-E2402671CCAC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:health_sciences_information_manager:3.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "97C10FBE-FD9A-4739-9303-5B6FC7551D66",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:health_sciences_information_manager:3.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "CF45C905-9EFF-4108-9B70-9FFDDD6627A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:healthcare_data_repository:7.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "E03F5DEF-DDD7-4C8C-90EF-7E4BCDEFE34B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "66C673C4-A825-46C0-816B-103E1C058D03",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:healthcare_data_repository:8.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "BA92E70A-2249-4144-B0B8-35501159ADB3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:healthcare_foundation:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F88FB6C5-D797-4017-A285-D3BB24B55429",
              "versionEndIncluding": "7.3.0.2",
              "versionStartIncluding": "7.3.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:healthcare_foundation:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D747A956-40A6-47D8-A813-FA4E13CB557F",
              "versionEndIncluding": "8.0.2",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:healthcare_foundation:8.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E67501BE-206A-49FD-8CBA-22935DF917F1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:healthcare_foundation:8.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F04B1BA-EA84-4AA3-B208-DECC33E192EC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:healthcare_translational_research:4.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "523391D8-CB84-4EBD-B337-6A99F52E537F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "05F5B430-8BA1-4865-93B5-0DE89F424B53",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0C177E1-66B8-4AB7-A3F0-B6CCDCC28F75",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FCBF2756-B831-4E6E-A15B-2A11DD48DB7C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "CBDA65DE-5727-49DC-8D50-DA81DB3E8841",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:hospitality_suite8:8.11.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A577DCD3-6730-441A-B3BD-6199483FB1E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:hospitality_suite8:8.12.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "577A07A9-DBB1-49E6-B2CC-60B917097472",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:hospitality_suite8:8.13.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4833DCA-FC54-4F89-B2DF-8E39C9C49DF6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:hospitality_suite8:8.14.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "AD7E9060-BA5B-4682-AC0D-EE5105AD0332",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DFC79B17-E9D2-44D5-93ED-2F959E7A3D43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "AD04BEE5-E9A8-4584-A68C-0195CE9C402C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:hyperion_financial_management:11.1.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "49706536-CE9B-4713-8460-CC961B50C341",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:hyperion_financial_management:11.2.6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F6F77F79-5E93-4FC2-84F2-26AF52B4C08A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:hyperion_ilearning:6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "781049BF-3467-4DB5-89D4-6A76984E0261",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:hyperion_ilearning:6.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "058F9FC3-CA81-43BF-B083-DA8BE388E00A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.2.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "52C13DE5-CA3C-414F-8813-BB0847433151",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "82EA4BA7-C38B-4AF3-8914-9E3D089EBDD4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "B9C9BC66-FA5F-4774-9BDA-7AB88E2839C4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F69B9A5-F21B-4904-9F27-95C0F7A628E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_data_gateway:11.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "BD4EE554-DFE7-4C16-BC98-574DC97FC85C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_data_gateway:11.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "EE4160ED-75F2-4499-AC6C-90CD092A46E1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_data_gateway:11.2.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F03BFDA-6904-42D7-8170-D6FD143BB16C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_data_gateway:11.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "32EE6974-6E2E-4DE8-9F2B-8FE0FCEFECFA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_data_gateway:11.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "C85900AC-11DA-4FA8-A1E0-270240BF4B0E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "87B4051B-EB98-4D10-99D9-F15B44DBC7F0",
              "versionEndIncluding": "5.6.0",
              "versionStartIncluding": "5.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "428D2B1D-CFFD-49D1-BC05-2D85D22004DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0F89EC4B-6D34-40F0-B7C6-C03D03F81C13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_policy_administration:11.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "00C9E689-ED91-4A9D-B9C0-5BF4EC131409",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_policy_administration:11.2.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "7EFA1879-0BF9-4493-9145-15100BC38C0A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_policy_administration:11.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF958C28-4289-4433-8CD9-B6551F01926F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_policy_administration:11.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "57E9FC66-F6A0-4FB0-8D92-2C9B9E3F2184",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "48261B54-471D-4C03-AFF9-6F2EA8FA8EBB",
              "versionEndIncluding": "11.3.0",
              "versionStartIncluding": "11.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "64D4B80E-2B67-4BDC-9A3A-7BFDA171016A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "33E0F28C-1FF3-4E12-AAE4-A765F4F81EC0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A570E5E-A3BC-4E19-BC44-C28D8BC9A537",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_rules_palette:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5DEAB5CD-4223-4A43-AB9E-486113827A6C",
              "versionEndIncluding": "11.3.0",
              "versionStartIncluding": "11.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_rules_palette:10.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "AEDF91E2-E7B5-40EE-B71F-C7D59F4021BD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_rules_palette:10.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A94F93C-5828-4D78-9C48-20AC17E72B8E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "F3E25293-CB03-44CE-A8ED-04B3A0487A6A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:insurance_rules_palette:11.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "E2B51896-E4DA-4FDA-979F-481FFB3E588A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:java_se:7u321:*:*:*:*:*:*:*",
              "matchCriteriaId": "9F0BF15F-D4D2-4A88-BA15-79B624C4AC7D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:java_se:8u311:*:*:*:*:*:*:*",
              "matchCriteriaId": "D63E2911-7DA8-41AC-AB7A-1AA29076F69F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:java_se:17.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "674AFFA3-E9BA-4AFD-9A73-2A4A9DE427E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "65D65139-BB80-4713-8E59-6CA1116DCC1D",
              "versionEndExcluding": "9.2.6.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jdk:11.0.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "A7F43D86-B696-41E4-A288-6A2D43A1774A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2E3E923-E2AD-400D-A618-26ADF7F841A2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9AB58D27-37F2-4A32-B786-3490024290A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC7290F2-AF21-49B9-B3EF-869B7DE1A2AC",
              "versionEndExcluding": "7.4.34",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "00D3ECDE-287B-4336-898A-0DFEBE2AB6C3",
              "versionEndExcluding": "7.5.24",
              "versionStartIncluding": "7.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "105CBFD5-20DF-4BF0-9629-B87AF404E33D",
              "versionEndExcluding": "7.6.20",
              "versionStartIncluding": "7.6.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E248F8CE-5B39-457D-A47E-620858340840",
              "versionEndExcluding": "8.0.27",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:mysql_connectors:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9CD3AAAD-5F6E-4A3C-9CFC-EC4866628ABD",
              "versionEndExcluding": "8.0.27",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:mysql_connectors:8.0.27:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E1912FB-8ABF-4640-92E7-367A4923267C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2C9E5736-6015-499E-A452-227DCFB87DA7",
              "versionEndExcluding": "5.7.36",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F2B0D740-75B1-4953-A99F-965F999FDC64",
              "versionEndExcluding": "8.0.27",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:mysql_server:5.7.36:*:*:*:*:*:*:*",
              "matchCriteriaId": "A3F3390B-4081-473F-A5E0-B5E3A3888F04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3C56CECB-6B97-406C-8761-8B7F74CA7DEF",
              "versionEndExcluding": "8.0.27",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7167D144-C4AE-487F-B59A-888E10EA59DF",
              "versionEndExcluding": "21.1.12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:oss_support_tools:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "71CB79ED-A93E-4CBD-BCDD-82C5A00B373B",
              "versionEndExcluding": "2.12.42",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_cs_sa_integration_pack:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E4859861-C2EC-489F-A3B7-ACF85C709C24",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_cs_sa_integration_pack:9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "247C0D05-C76B-44BC-8750-C716FF980D70",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_people_tools:8.57:*:*:*:*:*:*:*",
              "matchCriteriaId": "E2CB2872-747C-47AC-8463-DD759BF105B6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_people_tools:8.58:*:*:*:*:*:*:*",
              "matchCriteriaId": "1DBC53C9-75EC-46F7-907D-63BB74864CD6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_people_tools:8.59:*:*:*:*:*:*:*",
              "matchCriteriaId": "D370F2E3-EF8A-440C-8319-D52FA3431428",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*",
              "matchCriteriaId": "7E1E416B-920B-49A0-9523-382898C2979D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*",
              "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F47057A9-2DDE-4178-B140-F7D70EAED8F6",
              "versionEndIncluding": "12.2.24",
              "versionStartIncluding": "12.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "9D8B3B57-73D6-4402-987F-8AE723D52F94",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_analytics:18.8.3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA9948AB-0CA6-4148-949C-E500466B45F5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_analytics:19.12.11.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "56D17905-5E69-4BD5-973B-30662AC3D678",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_analytics:20.12.12.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "70E72A74-F6A9-48EE-9279-3D9E53C2EC30",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_data_warehouse:18.8.3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "F14C6AB5-CC45-4753-A60F-1F527B063127",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_data_warehouse:19.12.11.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "583BBDF1-DBE4-486D-ABF8-7D2B0408490A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_data_warehouse:20.12.12.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C9810151-6F80-48FD-A51E-F063EB2B7324",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8B1C88FD-C2EC-4C96-AC7E-6F95C8763B48",
              "versionEndIncluding": "17.12.11",
              "versionStartIncluding": "17.12.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A621A5AE-6974-4BA5-B1AC-7130A46F68F5",
              "versionEndIncluding": "18.8.13",
              "versionStartIncluding": "18.8.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4096281D-2EBA-490D-8180-3C9D05EB890A",
              "versionEndIncluding": "19.12.12",
              "versionStartIncluding": "19.12.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E6B70E72-B9FC-4E49-8EDD-29C7E14F5792",
              "versionEndIncluding": "20.12.7",
              "versionStartIncluding": "20.12.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_gateway:21.12.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "15F45363-236B-4040-8AE4-C6C0E204EDBA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DAB9BA0D-7149-4221-A5AE-D4664E11C86F",
              "versionEndIncluding": "17.12.0.0-17.12.20.0",
              "versionStartIncluding": "17.12.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CFE4EAC8-A743-4658-AD72-088A5E747180",
              "versionEndIncluding": "18.8.24.0",
              "versionStartIncluding": "18.8.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AD0DEC50-F4CD-4ACA-A118-D4F0D4F4C981",
              "versionEndIncluding": "19.12.18.0",
              "versionStartIncluding": "19.12.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "651104CE-0569-4E6D-ACAB-AD2AC85084DD",
              "versionEndIncluding": "20.12.12.0",
              "versionStartIncluding": "20.12.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:21.12.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "45D89239-9142-46BD-846D-76A5A74A67B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_p6_professional_project_management:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E867F5E0-48A0-4D84-A0CA-A428FB2264D4",
              "versionEndIncluding": "17.12.20.0",
              "versionStartIncluding": "17.12.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_p6_professional_project_management:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "05B3FCDE-7EF8-49CA-9C09-9033E5D7B91E",
              "versionEndIncluding": "18.8.24.0",
              "versionStartIncluding": "18.8.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_p6_professional_project_management:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "05848067-59FF-4C90-A8BA-D1E4311B3A82",
              "versionEndIncluding": "19.12.17.0",
              "versionStartIncluding": "19.12.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_p6_professional_project_management:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC6AD8C8-96ED-4CFB-9953-99139FABCE35",
              "versionEndIncluding": "20.12.9.0",
              "versionStartIncluding": "20.12.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_portfolio_management:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F67F218D-E827-482B-8417-483713F31D69",
              "versionEndIncluding": "18.0.3.0",
              "versionStartIncluding": "18.0.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_portfolio_management:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0ADB354B-AD0D-4EFA-B7C6-71A35FA0AFF9",
              "versionEndIncluding": "19.0.1.2",
              "versionStartIncluding": "19.0.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_portfolio_management:20.0.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "53B3B01A-532C-45B7-9BFC-19AABF55644B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_portfolio_management:20.0.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "683ABA64-9F16-4C23-8AF3-BB0C19FED9B9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "08FA59A8-6A62-4B33-8952-D6E658F8DAC9",
              "versionEndIncluding": "17.12",
              "versionStartIncluding": "17.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "202AD518-2E9B-4062-B063-9858AE1F9CE2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "10864586-270E-4ACF-BDCC-ECFCD299305F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "38340E3C-C452-4370-86D4-355B6B4E0A06",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "E9C55C69-E22E-4B80-9371-5CD821D79FE2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:rapid_planning:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CE004F32-F4DA-45A8-AD11-8924C4F1076A",
              "versionEndIncluding": "12.2.11",
              "versionStartIncluding": "12.2.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:real-time_decision_server:3.2.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C914A8CA-352B-4B02-8A2F-D5A6EC04AF53",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "CADD7026-EF85-40A5-8563-7A34C6941B1F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "58F019E8-F68D-41B5-9480-0A81616F2E7C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:rest_data_services:21.2.4:*:*:*:-:*:*:*",
              "matchCriteriaId": "12F5FDCF-EA13-44F1-B3D8-94310CD3841C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_allocation:14.1.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "51E83F05-B691-4450-BCA9-32209AEC4F6A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_allocation:15.0.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "288235F9-2F9E-469A-BE14-9089D0782875",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_allocation:16.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "6672F9C1-DA04-47F1-B699-C171511ACE38",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_allocation:19.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "11E57939-A543-44F7-942A-88690E39EABA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_analytics:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "90D4D479-0294-4F31-B719-8544C8DC4554",
              "versionEndIncluding": "16.0.2",
              "versionStartIncluding": "16.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_assortment_planning:16.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "48C9BD8E-7214-4B44-B549-6F11B3EA8A04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0735989-13BD-40B3-B954-AC0529C5B53D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "58405263-E84C-4071-BB23-165D49034A00",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_customer_insights:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "08DF20EA-D1A6-4437-90F6-C0C40273CE5B",
              "versionEndIncluding": "16.0.2",
              "versionStartIncluding": "16.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B92BB355-DB00-438E-84E5-8EC007009576",
              "versionEndIncluding": "19.0",
              "versionStartIncluding": "16.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_eftlink:16.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "F3796186-D3A7-4259-846B-165AD9CEB7F1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_eftlink:17.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "CEDA5540-692D-47DA-9F68-83158D9AE628",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_eftlink:18.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "C5435583-C454-4AC9-8A35-D2D30EB252EE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_eftlink:19.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2140357-503A-4D2A-A099-CFA4DC649E41",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_eftlink:20.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "6BAE5686-8E11-4EF1-BC7E-5C565F2440C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "31FFE404-027E-4B59-B3EF-BD20E1F7EECC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "798E4FEE-9B2B-436E-A2B3-B8AA1079892A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "CB86F6C3-981E-4ECA-A5EB-9A9CD73D70C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "6B042849-7EF5-4A5F-B6CD-712C0B8735BF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_financial_integration:19.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "7435071D-0C95-4686-A978-AFC4C9A0D0FE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_fiscal_management:14.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "A5F6FD19-A314-4A1F-96CB-6DB1CED79430",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_integration_bus:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A921C710-1C59-429F-B985-67C0DBFD695E",
              "versionEndIncluding": "16.0.3",
              "versionStartIncluding": "16.0.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_integration_bus:13.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "40AABFD3-1D0D-4C6B-BA9A-9DA70241B51C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_integration_bus:14.1.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4EEF867A-587A-45E1-B2F6-0B903903F0F9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "8CFCE558-9972-46A2-8539-C16044F1BAA9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A1194C4E-CF42-4B4D-BA9A-40FDD28F1D58",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_integration_bus:19.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DFDF4CB0-4680-449A-8576-915721D59500",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "BD311C33-A309-44D5-BBFB-539D72C7F8C4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_invoice_matching:15.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "A0472632-4104-4397-B619-C4E86A748465",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_invoice_matching:16.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "48E25E7C-F7E8-4739-8251-00ACD11C12FE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "AE1BC44A-F0AF-41CD-9CEB-B07AB5ADAB38",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "38E74E68-7F19-4EF3-AC00-3C249EAAA39E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0783F0D1-8FAC-4BCA-A6F5-C5C60E86D56D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_order_broker:19.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7BD0D41-1BED-4C4F-95C8-8987C98908DA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_order_management_system:19.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "99B5DC78-1C24-4F2B-A254-D833FAF47013",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_point-of-sale:14.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "274999E6-18ED-46F0-8CF2-56374B3DF174",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "6B1A4F12-3E64-41CF-B2B3-B6AB734B69E0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3.46:*:*:*:*:*:*:*",
              "matchCriteriaId": "9002379B-4FDA-44F3-98EB-0C9B6083E429",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "24A3C819-5151-4543-A5C6-998C9387C8A2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3.115:*:*:*:*:*:*:*",
              "matchCriteriaId": "476B038D-7F60-482D-87AD-B58BEA35558E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_predictive_application_server:16.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "4FB98961-8C99-4490-A6B8-9A5158784F5A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_predictive_application_server:16.0.3.240:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB86C644-7B79-4F87-A06D-C178E8C2B8B4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_price_management:13.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "C19C5CC9-544A-4E4D-8F0A-579BB5270F07",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_price_management:14.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "3E1A9B0C-735A-40B4-901C-663CF5162E96",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_price_management:14.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "5B956113-5B3B-436D-858B-8F29FB304364",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_price_management:14.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E0DD7FAB-0E0F-4319-95BF-C90881CE2E7E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_price_management:15.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7E8917F6-00E7-47EC-B86D-A3B11D5F0E0D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_price_management:15.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC456422-00B5-498E-A28E-EA834367D943",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_price_management:16.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "EFC5F424-119D-4C66-8251-E735EEFBC0BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_price_management:16.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C745606-0EF8-4E57-BFBC-C3FB39CB7E1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "BDB925C6-2CBC-4D88-B9EA-F246F4F7A206",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0CE45891-A6A5-4699-90A6-6F49E60A7987",
              "versionEndIncluding": "16.0.3",
              "versionStartIncluding": "16.0.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_service_backbone:14.1.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "054F9E62-A6D6-4850-83AD-3628C74A4384",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "E702EBED-DB39-4084-84B1-258BC5FE7545",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "3F7956BF-D5B6-484B-999C-36B45CD8B75B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_service_backbone:19.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0D14A54A-4B04-41DE-B731-844D8AC3BE23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "9DA6B655-A445-42E5-B6D9-70AB1C04774A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_size_profile_optimization:16.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "74ACC94B-4A9F-451D-B639-6008A108BDDC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEC41EB8-73B4-4BDF-9321-F34EC0BAF9E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "48EFC111-B01B-4C34-87E4-D6B2C40C0122",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "073FEA23-E46A-4C73-9D29-95CFF4F5A59D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A69FB468-EAF3-4E67-95E7-DF92C281C1F1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:sd-wan_aware:8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "667A06DE-E173-406F-94DA-1FE64BCFAE18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "77E39D5C-5EFA-4FEB-909E-0A92004F2563",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "06816711-7C49-47B9-A9D7-FB18CC3F42F2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:secure_backup:18.1.0.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E8929B61-16EC-4FE0-98A5-1CC7CC7FD9CC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:siebel_applications:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6CA63BB4-27A9-4B26-B01C-1F527C7B9454",
              "versionEndExcluding": "21.12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:spatial_studio:21.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D926BD38-E66E-41DA-9F65-40D68F8D8890",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:thesaurus_management_system:5.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "01E3B232-073E-433B-977A-1742B75109B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:thesaurus_management_system:5.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F6FDC33-D57E-4C6A-B633-BFC587147037",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:thesaurus_management_system:5.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F3B01572-9D32-44B2-8FCF-C282C887DB51",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "513AE97F-161C-43D2-B2D1-653125A9E920",
              "versionEndExcluding": "11.2.2.8.27",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "34656ECE-15CB-495C-8573-7C98B383F15B",
              "versionEndExcluding": "21.1.1.1.0",
              "versionStartIncluding": "21.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "51309958-121D-4649-AB9A-EBFA3A49F7CB",
              "versionEndIncluding": "4.3.0.6.0",
              "versionStartIncluding": "4.3.0.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5435B365-BFF3-4A9E-B45C-42D8F1E20FB7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1FAC3840-2CF8-44CE-81BB-EEEBDA00A34A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3F906F04-39E4-4BE4-8A73-9D058AAADB43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7B393A82-476A-4270-A903-38ED4169E431",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "85CAE52B-C2CA-4C6B-A0B7-2B9D6F0499E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A3ED272C-A545-4F8C-86C0-2736B3F2DCAF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "C5B4C338-11E1-4235-9D5A-960B2711AC39",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "8C93F84E-9680-44EF-8656-D27440B51698",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:vm_virtualbox:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "91A2A4B0-88FC-41D1-8719-4FAABED19F8E",
              "versionEndExcluding": "6.1.32",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D6A4F71A-4269-40FC-8F61-1D1301F2B728",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5A502118-5B2B-47AE-82EC-1999BD841103",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C93CC705-1F8C-4870-99E6-14BF264C3811",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F14A818F-AA16-4438-A3E4-E64C9287AC66",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "04BCDC24-4A21-473C-8733-0D9CFB38A752",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:zfs_storage_application_integration_engineering_software:1.3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "CB85582D-0106-47F1-894F-0BC4FF0B5462",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "7569C0BD-16C1-441E-BAEB-840C94BE73EF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:oracle:solaris:10:*:*:*:*:*:*:*",
              "matchCriteriaId": "964B57CD-CB8A-4520-B358-1C93EC5EF2DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:oracle:solaris:11:*:*:*:*:*:*:*",
              "matchCriteriaId": "8E8C192B-8044-4BF9-9F1F-57371FC0E8FD",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:oracle:fujitsu_m10-1_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4DB505EC-A54C-4033-B3A6-24CEF87A855D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:oracle:fujitsu_m10-1:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "0F63BFBA-A4D8-43D1-A13E-DEED6AEF596B",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:oracle:fujitsu_m10-4_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4A48DA6-C5A5-4B3D-B43B-31380223A55A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:oracle:fujitsu_m10-4:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4BB5347-D09D-4FC5-9F1C-7F3E036C18AD",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:oracle:fujitsu_m10-4s_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "BB27AABE-079B-4DF0-ABEF-0D3329685B1E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:oracle:fujitsu_m10-4s:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "529D4274-F33B-47C7-A3FB-6F86096FD955",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:oracle:fujitsu_m12-1_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6D2D622F-E345-4A4D-861F-6460DF56880C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:oracle:fujitsu_m12-1:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A534E662-66B7-448B-A763-6B043112C877",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:oracle:fujitsu_m12-2_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "FCBEE0C8-CC99-4A25-9342-208D4DB91AAD",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:oracle:fujitsu_m12-2:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "95541D18-5C33-49E9-924D-0B21162EC2C4",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:oracle:fujitsu_m12-2s_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "CE5C60CD-F890-4E3F-A2C3-9153591E7647",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:oracle:fujitsu_m12-2s:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "22FD4F61-0A4F-4C74-A852-B1CD3639E1D8",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad fue encontrada en Hibernate-Validator. La anotaci\u00f3n del validador SafeHtml no puede sanear apropiadamente las cargas \u00fatiles que consisten en c\u00f3digo potencialmente malicioso en los comentarios e instrucciones HTML. Esta vulnerabilidad puede resultar en un ataque de tipo XSS."
    }
  ],
  "id": "CVE-2019-10219",
  "lastModified": "2025-07-07T14:15:21.437",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-11-08T15:15:11.157",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0159"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0160"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0161"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0164"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0445"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56cee"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://github.com/hibernate/hibernate-validator/commit/20d729548511ac5cff6fd459f93de137195420fe"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-10219"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Origin/CVE-2019-10219/exploit"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba09114897d%40%3Cnotifications.accumulo.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf%40%3Cnotifications.accumulo.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220210-0024/"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0159"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0160"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0161"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0164"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0445"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/hibernate/hibernate-validator/commit/20d729548511ac5cff6fd459f93de137195420fe"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-10219"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Origin/CVE-2019-10219/exploit"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba09114897d%40%3Cnotifications.accumulo.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf%40%3Cnotifications.accumulo.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220210-0024/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2024-09-03 20:15
Modified
2024-11-21 09:43
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6493Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6494Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6495Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6497Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6499Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6500Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6501Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2024-4629Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2276761Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/hnsecurity/vulns/blob/main/HNS-2024-09-Keycloak.md
af854a3a-2127-422b-91ae-364da2661108https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-system/
Impacted products
Vendor Product Version
redhat keycloak *
redhat build_of_keycloak *
redhat single_sign-on -
redhat single_sign-on *
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
redhat openshift_container_platform 4.11
redhat openshift_container_platform 4.12
redhat openshift_container_platform_for_linuxone 4.9
redhat openshift_container_platform_for_linuxone 4.10
redhat openshift_container_platform_for_power 4.9
redhat openshift_container_platform_for_power 4.10
redhat openshift_container_platform_ibm_z_systems 4.9
redhat openshift_container_platform_ibm_z_systems 4.10
redhat enterprise_linux 8.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EEB94F86-A977-493B-9F12-6991F84F955C",
              "versionEndExcluding": "24.0.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "395F9BD6-C79B-442A-AA00-F96CA978B910",
              "versionEndExcluding": "22.012",
              "versionStartIncluding": "22.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "92BC930F-97E8-4FA9-80C5-3A8DB327990B",
              "versionEndExcluding": "7.6.10",
              "versionStartIncluding": "7.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA983F8C-3A06-450A-AEFF-9429DE9A3454",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "40449571-22F8-44FA-B57B-B43F71AB25E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "B02036DD-4489-480B-B7D4-4EB08952377B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7E78C55-45B6-4E01-9773-D3468F8EA9C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "30E2CF79-2D56-48AB-952E-5DDAFE471073",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "54E24055-813B-4E6D-94B7-FAD5F78B8537",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC262C4C-7B6A-4117-A50F-1FF69296DDD8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "E58526FB-522F-4AAC-B03C-9CAB443D0CFF",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una vulnerabilidad en Keycloak. Esta falla permite a los atacantes eludir la protecci\u00f3n por fuerza bruta al explotar el tiempo de los intentos de inicio de sesi\u00f3n. Al iniciar m\u00faltiples solicitudes de inicio de sesi\u00f3n simult\u00e1neamente, los atacantes pueden superar los l\u00edmites configurados para intentos fallidos antes de que el sistema los bloquee. Esta falla de tiempo permite a los atacantes realizar m\u00e1s intentos de adivinar contrase\u00f1as de lo previsto, lo que podr\u00eda comprometer la seguridad de las cuentas en los sistemas afectados."
    }
  ],
  "id": "CVE-2024-4629",
  "lastModified": "2024-11-21T09:43:14.917",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-09-03T20:15:09.003",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6493"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6494"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6495"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6497"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6499"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6500"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6501"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2024-4629"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2276761"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/hnsecurity/vulns/blob/main/HNS-2024-09-Keycloak.md"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-system/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-837"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2020-07-06 19:15
Modified
2024-11-21 04:27
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1666499Issue Tracking, Third Party Advisory
secalert@redhat.comhttps://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20220210-0020/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1666499Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20220210-0020/Third Party Advisory
Impacted products
Vendor Product Version
hibernate hibernate_orm *
hibernate hibernate_orm *
redhat build_of_quarkus -
redhat decision_manager 7.0
redhat fuse *
redhat jboss_data_grid 7.0.0
redhat jboss_enterprise_application_platform -
redhat jboss_middleware_text-only_advisories -
redhat openstack 10
redhat openstack 13
redhat openstack 14
redhat single_sign-on -
quarkus quarkus *
redhat jboss_enterprise_application_platform 7.3
redhat jboss_enterprise_application_platform 7.4
redhat enterprise_linux 8.0
redhat jboss_enterprise_application_platform 7.3
redhat jboss_enterprise_application_platform 7.4
redhat enterprise_linux 7.0
redhat jboss_enterprise_application_platform 7.3
redhat enterprise_linux 6.0
redhat jboss_enterprise_application_platform 7.2
redhat enterprise_linux 8.0
redhat jboss_enterprise_application_platform 7.2
redhat enterprise_linux 7.0
redhat jboss_enterprise_application_platform 7.2
redhat enterprise_linux 6.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:hibernate:hibernate_orm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A0960BC3-6311-47BC-8A26-64352815D61D",
              "versionEndExcluding": "5.3.18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:hibernate:hibernate_orm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC6F089C-BBE4-4E11-BAC8-3CD6ADE1CA28",
              "versionEndExcluding": "5.4.18",
              "versionStartIncluding": "5.4.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "C4724F20-5376-4FB0-8DFA-A75004E2F60D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "68146098-58F8-417E-B165-5182527117C4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:fuse:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BE29E03D-4680-49E1-8DB4-17B2705E9FBF",
              "versionEndExcluding": "7.8.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD354E32-A8B0-484C-B4C6-9FBCD3430D2D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "434B744A-9665-4340-B02D-7923FCB2B562",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*",
              "matchCriteriaId": "E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*",
              "matchCriteriaId": "704CFA1A-953E-4105-BFBE-406034B83DED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*",
              "matchCriteriaId": "EB7F358B-5E56-41AB-BB8A-23D3CB7A248B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2A9BF484-A446-4315-B748-F4723622C464",
              "versionEndIncluding": "1.5.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "645A908C-18C2-4AB1-ACE7-3969E3A552A5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "645A908C-18C2-4AB1-ACE7-3969E3A552A5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un fallo en Hibernate ORM en versiones anteriores a 5.3.18, 5.4.18 y 5.5.0.Beta1. Una inyecci\u00f3n SQL en la implementaci\u00f3n de la API JPA Criteria puede permitir literales no saneados cuando es usado un literal en las partes de la consulta SELECT o GROUP BY. Este fallo  podr\u00eda permitir a un atacante acceder a informaci\u00f3n no autorizada o posiblemente conducir a nuevos ataques"
    }
  ],
  "id": "CVE-2019-14900",
  "lastModified": "2024-11-21T04:27:38.783",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-07-06T19:15:12.230",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666499"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220210-0020/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1666499"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220210-0020/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2023-07-07 20:15
Modified
2024-11-21 07:35
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2151618Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3aPatch
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2151618Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3aPatch
Impacted products
Vendor Product Version
redhat keycloak *
redhat single_sign-on *
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
redhat single_sign-on -
redhat openshift_container_platform 4.11
redhat openshift_container_platform 4.12
redhat openshift_container_platform_for_ibm_linuxone 4.9
redhat openshift_container_platform_for_ibm_linuxone 4.10
redhat openshift_container_platform_for_power 4.9
redhat openshift_container_platform_for_power 4.10
redhat enterprise_linux 8.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "756CF1FB-9891-4069-BBDF-BA548F6C1F9C",
              "versionEndExcluding": "21.1.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1C5D8D6E-F093-4A2E-B98C-C14E40140ABA",
              "versionEndExcluding": "7.6.4",
              "versionStartIncluding": "7.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA983F8C-3A06-450A-AEFF-9429DE9A3454",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "40449571-22F8-44FA-B57B-B43F71AB25E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "8C519B1A-1CD6-426C-9339-F28E4FEF581B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "91EE3858-A648-44B4-B282-8F808D88D3B9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "30E2CF79-2D56-48AB-952E-5DDAFE471073",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "54E24055-813B-4E6D-94B7-FAD5F78B8537",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri."
    }
  ],
  "id": "CVE-2022-4361",
  "lastModified": "2024-11-21T07:35:08.000",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 10.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.0,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-07-07T20:15:09.813",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2151618"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2151618"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-81"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2024-09-19 16:15
Modified
2024-11-26 19:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:10385
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:10386
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6878Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6879Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6880Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6882Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6886Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6887Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6888Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6889Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:6890Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:8823
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:8824
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:8826
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2024-8883Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2312511Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.javaProduct
Impacted products
Vendor Product Version
redhat build_of_keycloak -
redhat openshift_container_platform 4.11
redhat openshift_container_platform 4.12
redhat openshift_container_platform_for_ibm_z 4.9
redhat openshift_container_platform_for_ibm_z 4.10
redhat openshift_container_platform_for_linuxone 4.9
redhat openshift_container_platform_for_linuxone 4.10
redhat openshift_container_platform_for_power 4.9
redhat openshift_container_platform_for_power 4.10
redhat single_sign-on -
redhat single_sign-on 7.6


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "1830E455-7E11-4264-862D-05971A42D4A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA983F8C-3A06-450A-AEFF-9429DE9A3454",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "40449571-22F8-44FA-B57B-B43F71AB25E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "01B0F191-ADDB-4AAE-A5C5-5CC16909E64A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_z:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD75BCB4-F0E1-4C05-A2D7-001503C805C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "B02036DD-4489-480B-B7D4-4EB08952377B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7E78C55-45B6-4E01-9773-D3468F8EA9C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "30E2CF79-2D56-48AB-952E-5DDAFE471073",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "54E24055-813B-4E6D-94B7-FAD5F78B8537",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "2DEC61BC-E699-456E-99B6-C049F2A5F23F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a \u0027Valid Redirect URI\u0027 is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una falla de configuraci\u00f3n incorrecta en Keycloak. Este problema puede permitir que un atacante redirija a los usuarios a una URL arbitraria si una \"URI de redireccionamiento v\u00e1lida\" est\u00e1 configurada en http://localhost o http://127.0.0.1, lo que permite que informaci\u00f3n confidencial, como c\u00f3digos de autorizaci\u00f3n, quede expuesta al atacante, lo que puede llevar al secuestro de la sesi\u00f3n."
    }
  ],
  "id": "CVE-2024-8883",
  "lastModified": "2024-11-26T19:15:32.253",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "secalert@redhat.com",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-09-19T16:15:06.403",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:10385"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:10386"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6878"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6879"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6880"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6882"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6886"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6887"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6888"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6889"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:6890"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:8823"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:8824"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2024:8826"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2024-8883"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312511"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/utils/RedirectUtils.java"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2022-09-13 14:15
Modified
2024-11-21 06:40
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2073401Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2073401Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat wildfly *
redhat amq 2.0
redhat amq_online -
redhat integration_camel_k -
redhat integration_service_registry -
redhat jboss_a-mq 7
redhat jboss_enterprise_application_platform_expansion_pack -
redhat single_sign-on 7.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "426B1BCF-20D8-4793-AC27-D8547F86DB3B",
              "versionEndExcluding": "27.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:amq:2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B6D3AF88-5812-4BB6-871F-C0EA39AD66AE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:amq_online:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "153BBB97-7890-4C7A-9EDD-92A426B06DEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B87C8AD3-8878-4546-86C2-BF411876648C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:integration_service_registry:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF03BDE8-602D-4DEE-BA5B-5B20FDF47741",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_a-mq:7:*:*:*:*:*:*:*",
              "matchCriteriaId": "A58966CB-36AF-4E64-AB39-BE3A0753E155",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "0A24CBFB-4900-47A5-88D2-A44C929603DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain."
    },
    {
      "lang": "es",
      "value": "Se ha encontrado un fallo en WildFly, en el que un atacante puede visualizar los nombres de los despliegues, los endpoints y cualquier otro dato que pueda contener la carga \u00fatil de rastreo"
    }
  ],
  "id": "CVE-2022-1278",
  "lastModified": "2024-11-21T06:40:23.890",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-09-13T14:15:08.620",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1188"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1188"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2019-08-13 21:15
Modified
2025-01-14 19:29
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
References
cret@cert.orghttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.htmlMailing List, Third Party Advisory
cret@cert.orghttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.htmlMailing List, Third Party Advisory
cret@cert.orghttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.htmlMailing List, Third Party Advisory
cret@cert.orghttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.htmlMailing List, Third Party Advisory
cret@cert.orghttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.htmlMailing List, Third Party Advisory
cret@cert.orghttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.htmlMailing List, Third Party Advisory
cret@cert.orghttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.htmlMailing List, Third Party Advisory
cret@cert.orghttp://seclists.org/fulldisclosure/2019/Aug/16Mailing List, Third Party Advisory
cret@cert.orghttp://www.openwall.com/lists/oss-security/2019/08/20/1Mailing List, Third Party Advisory
cret@cert.orghttp://www.openwall.com/lists/oss-security/2023/10/18/8
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2594Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2661Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2682Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2690Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2726Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2766Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2769Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2796Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2861Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2925Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2939Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2955Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:2966Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:3131Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:3245Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:3265Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:3892Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:3906Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4018Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4019Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4020Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4021Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4040Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4041Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4042Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4045Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4269Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4273Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2019:4352Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2020:0406Third Party Advisory
cret@cert.orghttps://access.redhat.com/errata/RHSA-2020:0727Third Party Advisory
cret@cert.orghttps://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.mdThird Party Advisory
cret@cert.orghttps://kb.cert.org/vuls/id/605641/Third Party Advisory, US Government Resource
cret@cert.orghttps://kc.mcafee.com/corporate/index?page=content&id=SB10296Third Party Advisory
cret@cert.orghttps://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E
cret@cert.orghttps://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E
cret@cert.orghttps://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E
cret@cert.orghttps://lists.debian.org/debian-lts-announce/2020/12/msg00011.htmlThird Party Advisory
cret@cert.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/
cret@cert.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/
cret@cert.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/
cret@cert.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/
cret@cert.orghttps://seclists.org/bugtraq/2019/Aug/24Mailing List, Third Party Advisory
cret@cert.orghttps://seclists.org/bugtraq/2019/Aug/31Mailing List, Third Party Advisory
cret@cert.orghttps://seclists.org/bugtraq/2019/Aug/43Mailing List, Third Party Advisory
cret@cert.orghttps://seclists.org/bugtraq/2019/Sep/18Mailing List, Third Party Advisory
cret@cert.orghttps://security.netapp.com/advisory/ntap-20190823-0001/Third Party Advisory
cret@cert.orghttps://security.netapp.com/advisory/ntap-20190823-0004/Third Party Advisory
cret@cert.orghttps://security.netapp.com/advisory/ntap-20190823-0005/Third Party Advisory
cret@cert.orghttps://support.f5.com/csp/article/K01988340Third Party Advisory
cret@cert.orghttps://support.f5.com/csp/article/K01988340?utm_source=f5support&amp%3Butm_medium=RSS
cret@cert.orghttps://usn.ubuntu.com/4308-1/Third Party Advisory
cret@cert.orghttps://www.debian.org/security/2019/dsa-4503Third Party Advisory
cret@cert.orghttps://www.debian.org/security/2019/dsa-4508Third Party Advisory
cret@cert.orghttps://www.debian.org/security/2019/dsa-4520Third Party Advisory
cret@cert.orghttps://www.debian.org/security/2020/dsa-4669Third Party Advisory
cret@cert.orghttps://www.synology.com/security/advisory/Synology_SA_19_33Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2019/Aug/16Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2019/08/20/1Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2023/10/18/8
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2594Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2661Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2682Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2690Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2726Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2766Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2769Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2796Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2861Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2925Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2939Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2955Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2966Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3131Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3245Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3265Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3892Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3906Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4018Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4019Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4020Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4021Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4040Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4041Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4042Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4045Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4269Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4273Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:4352Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0406Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0727Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.mdThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://kb.cert.org/vuls/id/605641/Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108https://kc.mcafee.com/corporate/index?page=content&id=SB10296Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2020/12/msg00011.htmlThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/
af854a3a-2127-422b-91ae-364da2661108https://seclists.org/bugtraq/2019/Aug/24Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://seclists.org/bugtraq/2019/Aug/31Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://seclists.org/bugtraq/2019/Aug/43Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://seclists.org/bugtraq/2019/Sep/18Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20190823-0001/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20190823-0004/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20190823-0005/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://support.f5.com/csp/article/K01988340Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://support.f5.com/csp/article/K01988340?utm_source=f5support&amp%3Butm_medium=RSS
af854a3a-2127-422b-91ae-364da2661108https://usn.ubuntu.com/4308-1/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2019/dsa-4503Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2019/dsa-4508Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2019/dsa-4520Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2020/dsa-4669Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.synology.com/security/advisory/Synology_SA_19_33Third Party Advisory
Impacted products
Vendor Product Version
apple swiftnio *
apple mac_os_x *
canonical ubuntu_linux *
apache traffic_server *
apache traffic_server *
apache traffic_server *
debian debian_linux 10.0
canonical ubuntu_linux 16.04
canonical ubuntu_linux 18.04
canonical ubuntu_linux 19.04
debian debian_linux 9.0
debian debian_linux 10.0
synology skynas -
synology diskstation_manager 6.2
synology vs960hd_firmware -
synology vs960hd -
fedoraproject fedora 29
fedoraproject fedora 30
opensuse leap 15.0
opensuse leap 15.1
redhat developer_tools 1.0
redhat jboss_core_services 1.0
redhat jboss_enterprise_application_platform 7.2.0
redhat jboss_enterprise_application_platform 7.3.0
redhat openshift_container_platform 3.9
redhat openshift_container_platform 3.10
redhat openshift_container_platform 3.11
redhat openshift_container_platform 4.1
redhat openshift_container_platform 4.2
redhat openshift_service_mesh 1.0
redhat openstack 14
redhat quay 3.0.0
redhat single_sign-on 7.3
redhat software_collections 1.0
redhat enterprise_linux 8.0
redhat enterprise_linux_eus 8.1
redhat enterprise_linux_server 7.0
redhat enterprise_linux_workstation 7.0
oracle graalvm 19.2.0
mcafee web_gateway *
mcafee web_gateway *
mcafee web_gateway *
netapp cloud_insights -
netapp trident -
f5 big-ip_local_traffic_manager *
f5 big-ip_local_traffic_manager *
f5 big-ip_local_traffic_manager *
f5 big-ip_local_traffic_manager *
f5 big-ip_local_traffic_manager *
f5 big-ip_local_traffic_manager *
nodejs node.js *
nodejs node.js *
nodejs node.js *
nodejs node.js *
nodejs node.js *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apple:swiftnio:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "93988E60-006B-434D-AB16-1FA1D2FEBC2A",
              "versionEndIncluding": "1.4.0",
              "versionStartIncluding": "1.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1D294D56-E784-4DA8-9C2C-BC5A05C92C0C",
              "versionStartIncluding": "10.12",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "65B1D2F6-BC1F-47AF-B4E6-4B50986AC622",
              "versionStartIncluding": "14.04",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "603BF43B-FC99-4039-A3C0-467F015A32FA",
              "versionEndIncluding": "6.2.3",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "07BB02CE-D4F2-459C-B0C6-FF78BF7996AE",
              "versionEndIncluding": "7.1.6",
              "versionStartIncluding": "7.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D875E0D8-D109-4F7F-A4C4-9EDD66CEE74E",
              "versionEndIncluding": "8.0.3",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
              "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
              "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD783B0C-9246-47D9-A937-6144FE8BFF0F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:synology:skynas:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7C997777-BE79-4F77-90D7-E1A71D474D88",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D9685B12-824F-42AD-B87C-6E7A78BB7FA5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:synology:vs960hd_firmware:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "3D0C5120-B961-440F-B454-584BC54B549C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:synology:vs960hd:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "1CCBDFF9-AF42-4681-879B-CF789EBAD130",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*",
              "matchCriteriaId": "D100F7CE-FC64-4CC6-852A-6136D72DA419",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
              "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:developer_tools:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "60937D60-6B78-400F-8D30-7FCF328659A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_core_services:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2466282-51AB-478D-9FF4-FA524265ED2E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0952BA1A-5DF9-400F-B01F-C3A398A8A2D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8B157A2D-3422-4224-82D9-15AB3B989075",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "309CB6F8-F178-454C-BE97-787F78647C28",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "4DBCD38F-BBE8-488C-A8C3-5782F191D915",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F87326E-0B56-4356-A889-73D026DB1D4B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "064E7BDD-4EF0-4A0D-A38D-8C75BAFEDCEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C85A84D-A70F-4B02-9E5D-CD9660ABF048",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "732F14CE-7994-4DD2-A28B-AE9E79826C01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*",
              "matchCriteriaId": "EB7F358B-5E56-41AB-BB8A-23D3CB7A248B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B1987BDA-0113-4603-B9BE-76647EB043F2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E939A0E0-3437-459E-9FAB-FE42811B1D32",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9D7EE4B6-A6EC-4B9B-91DF-79615796673F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "92BC9265-6959-4D37-BE5E-8C45E98992F8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:graalvm:19.2.0:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "C120C2F1-D50D-49CC-8E96-207ACCA49674",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "765E9856-2748-4A8B-91F5-A4DB3C8C547A",
              "versionEndExcluding": "7.7.2.24",
              "versionStartIncluding": "7.7.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EE6E66B1-3291-4E8E-93D6-30E9FDCF983E",
              "versionEndExcluding": "7.8.2.13",
              "versionStartIncluding": "7.8.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "227104AD-396D-4ADD-87C7-C4CD5583DA04",
              "versionEndExcluding": "8.2.0",
              "versionStartIncluding": "8.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:cloud_insights:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "26FCA75B-4282-4E0F-95B4-640A82C8E91C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:trident:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5D9A34F5-AC03-4098-A37D-AD50727DDB11",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "99C12BA5-2D81-4973-824E-2BDDA70F2485",
              "versionEndExcluding": "11.6.5.1",
              "versionStartIncluding": "11.6.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "591EA641-C103-4575-97D5-15D41B20E581",
              "versionEndExcluding": "12.1.5.1",
              "versionStartIncluding": "12.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A3F3F4FD-8BB9-468D-B50F-B25B17AF0F3A",
              "versionEndExcluding": "13.1.3.2",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "63529AEA-8B74-4CA1-BADF-14514D243DC5",
              "versionEndExcluding": "14.0.1.1",
              "versionStartIncluding": "14.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A4D87CCF-ED81-4B69-9D02-D5B79082E0FF",
              "versionEndExcluding": "14.1.2.1",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5485F6ED-F324-4124-9116-79E70909C5F7",
              "versionEndExcluding": "15.0.1.1",
              "versionStartIncluding": "15.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "74FB695D-2C76-47AB-988E-5629D2E695E5",
              "versionEndIncluding": "8.8.1",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*",
              "matchCriteriaId": "CFC0252A-DF1D-4CF4-B450-27267227B599",
              "versionEndExcluding": "8.16.1",
              "versionStartIncluding": "8.9.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "25A3180B-21AF-4010-9DAB-41ADFD2D8031",
              "versionEndIncluding": "10.12.0",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*",
              "matchCriteriaId": "2EC65858-FF7B-4171-82EA-80942D426F40",
              "versionEndExcluding": "10.16.3",
              "versionStartIncluding": "10.13.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "F522C500-AA33-4029-865F-F27FB00A354E",
              "versionEndExcluding": "12.8.1",
              "versionStartIncluding": "12.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both."
    },
    {
      "lang": "es",
      "value": "Algunas implementaciones de HTTP / 2 son vulnerables a una inundaci\u00f3n de reinicio, lo que puede conducir a una denegaci\u00f3n de servicio. El atacante abre una serie de secuencias y env\u00eda una solicitud no v\u00e1lida sobre cada secuencia que deber\u00eda solicitar una secuencia de tramas RST_STREAM del par. Dependiendo de c\u00f3mo el igual pone en cola las tramas RST_STREAM, esto puede consumir un exceso de memoria, CPU o ambos."
    }
  ],
  "id": "CVE-2019-9514",
  "lastModified": "2025-01-14T19:29:55.853",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 7.8,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "cret@cert.org",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-08-13T21:15:12.443",
  "references": [
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2019/08/20/1"
    },
    {
      "source": "cret@cert.org",
      "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2594"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2661"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2682"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2690"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2726"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2766"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2769"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2796"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2861"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2925"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2939"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2955"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2966"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3131"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3245"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3265"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3892"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3906"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4018"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4019"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4020"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4021"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4040"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4041"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4042"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4045"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4269"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4273"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4352"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0406"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0727"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://kb.cert.org/vuls/id/605641/"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
    },
    {
      "source": "cret@cert.org",
      "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
    },
    {
      "source": "cret@cert.org",
      "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
    },
    {
      "source": "cret@cert.org",
      "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00011.html"
    },
    {
      "source": "cret@cert.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/"
    },
    {
      "source": "cret@cert.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
    },
    {
      "source": "cret@cert.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
    },
    {
      "source": "cret@cert.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Aug/24"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Aug/31"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Aug/43"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Sep/18"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20190823-0001/"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20190823-0004/"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://support.f5.com/csp/article/K01988340"
    },
    {
      "source": "cret@cert.org",
      "url": "https://support.f5.com/csp/article/K01988340?utm_source=f5support\u0026amp%3Butm_medium=RSS"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://usn.ubuntu.com/4308-1/"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2019/dsa-4503"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2019/dsa-4508"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2019/dsa-4520"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2020/dsa-4669"
    },
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2019/Aug/16"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2019/08/20/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2594"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2661"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2682"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2690"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2726"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2766"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2769"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2796"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2861"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2925"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2939"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2955"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2966"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3131"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3245"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3265"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3892"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3906"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4018"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4019"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4020"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4021"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4040"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4041"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4042"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4045"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4269"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4273"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:4352"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0406"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0727"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://kb.cert.org/vuls/id/605641/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10296"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00011.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Aug/24"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Aug/31"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Aug/43"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/bugtraq/2019/Sep/18"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20190823-0001/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20190823-0004/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://support.f5.com/csp/article/K01988340"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://support.f5.com/csp/article/K01988340?utm_source=f5support\u0026amp%3Butm_medium=RSS"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://usn.ubuntu.com/4308-1/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2019/dsa-4503"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2019/dsa-4508"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2019/dsa-4520"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2020/dsa-4669"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"
    }
  ],
  "sourceIdentifier": "cret@cert.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "cret@cert.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2020-10-16 14:15
Modified
2024-11-21 05:02
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1848533Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1848533Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat jboss_enterprise_application_platform *
redhat openshift_application_runtimes -
redhat single_sign-on 7.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC07E348-8BB8-4CAF-88C0-FD20E69AE45B",
              "versionEndExcluding": "5.0.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un fallo en JBoss EAP, donde la configuraci\u00f3n de autenticaci\u00f3n se configura usando un SecurityRealm heredado, para delegarlo en un SecurityDomain PicketBox heredado, y luego se vuelve a cargar al modo de solo administrador.\u0026#xa0;Este fallo permite a un atacante llevar a cabo una omisi\u00f3n de autenticaci\u00f3n completa mediante el uso de un usuario y una contrase\u00f1a arbitrarios.\u0026#xa0;La mayor amenaza a la vulnerabilidad es la disponibilidad del sistema"
    }
  ],
  "id": "CVE-2020-14299",
  "lastModified": "2024-11-21T05:02:57.350",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 6.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 6.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-10-16T14:15:11.533",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848533"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848533"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2022-05-24 19:15
Modified
2024-11-21 06:22
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1977362Issue Tracking, Third Party Advisory
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20220729-0008/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1977362Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20220729-0008/Third Party Advisory
Impacted products
Vendor Product Version
redhat integration -
redhat jboss_enterprise_application_platform -
redhat single_sign-on -
redhat undertow *
redhat undertow *
redhat wildfly_core *
redhat jboss_enterprise_application_platform 7.4
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat jboss_enterprise_application_platform 7.3
redhat enterprise_linux 6.0
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp oncommand_insight -
netapp oncommand_workflow_automation -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:integration:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "4BE98F59-76FC-4998-A9AB-1906C51EDF60",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "542D0A09-0EF5-4BDB-AEE2-98E6FC6AB379",
              "versionEndExcluding": "2.0.40",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0B65C7D6-6D07-4795-A777-8108D1055644",
              "versionEndExcluding": "2.2.11",
              "versionStartIncluding": "2.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:wildfly_core:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2C4A24A1-6BFC-4CD8-998F-422D85D63947",
              "versionEndExcluding": "17.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "645A908C-18C2-4AB1-ACE7-3969E3A552A5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
              "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
              "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
              "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final."
    },
    {
      "lang": "es",
      "value": "Se ha encontrado un fallo en Undertow. Un posible problema de seguridad en el manejo del control de flujo por parte del navegador sobre http/2 puede causar potencialmente una sobrecarga o una denegaci\u00f3n de servicio en el servidor. La mayor amenaza de esta vulnerabilidad es la disponibilidad. Este fallo afecta a Undertow versiones anteriores a 2.0.40.Final y 2.2.11.Final"
    }
  ],
  "id": "CVE-2021-3629",
  "lastModified": "2024-11-21T06:22:01.143",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-05-24T19:15:09.093",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1977362"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220729-0008/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1977362"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20220729-0008/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2022-08-31 16:15
Modified
2024-11-21 06:40
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.
References
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2022-1319Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2073890Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://github.com/undertow-io/undertow/commit/1443a1a2bbb8e32e56788109d8285db250d55c8bPatch, Third Party Advisory
secalert@redhat.comhttps://github.com/undertow-io/undertow/commit/7c5b3ab885b5638fd3f1e8a935d5063d68aa2df3Patch, Third Party Advisory
secalert@redhat.comhttps://issues.redhat.com/browse/UNDERTOW-2060Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20221014-0006/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2022-1319Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2073890Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/undertow-io/undertow/commit/1443a1a2bbb8e32e56788109d8285db250d55c8bPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/undertow-io/undertow/commit/7c5b3ab885b5638fd3f1e8a935d5063d68aa2df3Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://issues.redhat.com/browse/UNDERTOW-2060Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20221014-0006/Third Party Advisory
Impacted products
Vendor Product Version
redhat openshift_application_runtimes -
redhat single_sign-on 7.0
redhat undertow *
redhat undertow 2.2.17
redhat undertow 2.2.17
redhat undertow 2.2.17
redhat undertow 2.2.19
redhat undertow 2.2.19
redhat undertow 2.3.0
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp cloud_secure_agent -
netapp oncommand_insight -
netapp oncommand_workflow_automation -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B1470237-30DB-4A05-8148-621CEE66EA57",
              "versionEndExcluding": "2.2.17",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.2.17:-:*:*:*:*:*:*",
              "matchCriteriaId": "FB2B656E-2229-4D16-B063-4D9456AEBF63",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.2.17:sp1:*:*:*:*:*:*",
              "matchCriteriaId": "04CA521E-1B46-44FB-AA69-309AC53A360A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.2.17:sp2:*:*:*:*:*:*",
              "matchCriteriaId": "005FB2BF-CF38-4F91-A24B-96D72222192C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.2.19:-:*:*:*:*:*:*",
              "matchCriteriaId": "269ECD35-C644-4B04-AAD3-D88F97CF0214",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.2.19:sp1:*:*:*:*:*:*",
              "matchCriteriaId": "C0692735-244D-415B-894C-1A64E0307FC4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:undertow:2.3.0:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "F6DD3DE4-9C5D-4768-9414-C63D1D172B7F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
              "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
              "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
              "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0F202E8-97E6-4BBB-A0B6-4CA3F5803C08",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG."
    },
    {
      "lang": "es",
      "value": "Se ha encontrado un fallo en Undertow. Para una respuesta AJP 400, EAP 7 env\u00eda inapropiadamente el flag de re\u00faso habilitado aunque JBoss EAP cierra la conexi\u00f3n. es producido un fallo cuando la conexi\u00f3n es reusada despu\u00e9s de un 400 por CPING ya que lee en el segundo paquete de respuesta SEND_HEADERS en lugar de un CPONG"
    }
  ],
  "id": "CVE-2022-1319",
  "lastModified": "2024-11-21T06:40:28.920",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-08-31T16:15:09.410",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2022-1319"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073890"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/undertow-io/undertow/commit/1443a1a2bbb8e32e56788109d8285db250d55c8b"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/undertow-io/undertow/commit/7c5b3ab885b5638fd3f1e8a935d5063d68aa2df3"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://issues.redhat.com/browse/UNDERTOW-2060"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20221014-0006/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2022-1319"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073890"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/undertow-io/undertow/commit/1443a1a2bbb8e32e56788109d8285db250d55c8b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/undertow-io/undertow/commit/7c5b3ab885b5638fd3f1e8a935d5063d68aa2df3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://issues.redhat.com/browse/UNDERTOW-2060"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20221014-0006/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-252"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-252"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2022-08-05 17:15
Modified
2024-11-21 07:01
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled
References
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2022-2668Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2022-2668Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak 18.0.0
redhat single_sign-on 7.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:18.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3100EA5C-DA10-4E36-A826-1F88AA56343C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled"
    },
    {
      "lang": "es",
      "value": "Se ha detectado un problema en Keycloak que permite cargar Javascript arbitrario para el mapeador del protocolo SAML incluso si la funci\u00f3n UPLOAD_SCRIPTS est\u00e1 deshabilitada"
    }
  ],
  "id": "CVE-2022-2668",
  "lastModified": "2024-11-21T07:01:28.817",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-08-05T17:15:08.663",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2022-2668"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2022-2668"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2021-05-26 22:15
Modified
2024-11-21 04:55
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
An insecure modification flaw in the /etc/passwd file was found in the redhat-sso-7 container. An attacker with access to the container can use this flaw to modify the /etc/passwd and escalate their privileges.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1817530Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1817530Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat single_sign-on *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EFE57629-BBA5-4D39-A70D-245E9FB8DE67",
              "versionEndExcluding": "7.4.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An insecure modification flaw in the /etc/passwd file was found in the redhat-sso-7 container. An attacker with access to the container can use this flaw to modify the /etc/passwd and escalate their privileges."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un fallo de modificaci\u00f3n no segura del archivo /etc/passwd en el contenedor redhat-sso-7.\u0026#xa0;Un atacante con acceso al contenedor puede usar este fallo para modificar el archivo /etc/passwd y escalar sus privilegios"
    }
  ],
  "id": "CVE-2020-10695",
  "lastModified": "2024-11-21T04:55:52.253",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.6,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-05-26T22:15:07.817",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1817530"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1817530"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-266"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2020-03-16 15:15
Modified
2024-11-21 04:27
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14887Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://issues.redhat.com/browse/JBEAP-17965Permissions Required
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20200327-0007/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14887Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://issues.redhat.com/browse/JBEAP-17965Permissions Required
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20200327-0007/Third Party Advisory
Impacted products
Vendor Product Version
redhat jboss_data_grid 7.0.0
redhat jboss_enterprise_application_platform 7.0.0
redhat jboss_fuse 7.0.0
redhat openshift_application_runtimes -
redhat single_sign-on 7.0
redhat wildfly 7.2.0
redhat wildfly 7.2.3
redhat wildfly 7.2.5


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD354E32-A8B0-484C-B4C6-9FBCD3430D2D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:wildfly:7.2.0:general_availability:*:*:*:*:*:*",
              "matchCriteriaId": "3183A7CF-6426-4B9F-AC91-9CFD6F31CD2A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:wildfly:7.2.3:general_availability:*:*:*:*:*:*",
              "matchCriteriaId": "FA943E12-A502-40E7-833D-79C504667EA6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:wildfly:7.2.5:cr2:*:*:*:*:*:*",
              "matchCriteriaId": "DFBEF324-BC86-4DA8-9152-6E339C8751F4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found when an OpenSSL security provider is used with Wildfly, the \u0027enabled-protocols\u0027 value in the Wildfly configuration isn\u0027t honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable."
    },
    {
      "lang": "es",
      "value": "Se detect\u00f3 un fallo cuando un proveedor de seguridad OpenSSL es usado con Wildfly, el valor de \"enabled-protocols\" en la configuraci\u00f3n de Wildfly no es respetado. Un atacante podr\u00eda apuntar al tr\u00e1fico enviado desde Wildfly y degradar la conexi\u00f3n a una versi\u00f3n m\u00e1s d\u00e9bil de TLS, rompiendo potencialmente el cifrado. Esto podr\u00eda conllevar a un filtrado de los datos que son pasados a trav\u00e9s de la red. Se cree que Wildfly versiones 7.2.0.GA, 7.2.3.GA y 7.2.5.CR2 son vulnerables."
    }
  ],
  "id": "CVE-2019-14887",
  "lastModified": "2024-11-21T04:27:36.843",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 6.4,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.2,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-03-16T15:15:12.130",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14887"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://issues.redhat.com/browse/JBEAP-17965"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20200327-0007/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14887"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://issues.redhat.com/browse/JBEAP-17965"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20200327-0007/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-757"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2023-01-13 06:15
Modified
2025-04-09 14:15
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Summary
A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.
References
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2023-0105Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2023-0105Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak -
redhat single_sign-on 7.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6E0DE4E1-5D8D-40F3-8AC8-C7F736966158",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una falla en Keycloak. Esta falla permite la suplantaci\u00f3n y el bloqueo debido a que la confianza del correo electr\u00f3nico no se maneja correctamente en Keycloak. Un atacante puede seguir a otros usuarios con el mismo correo electr\u00f3nico y bloquearlos o hacerse pasar por ellos."
    }
  ],
  "id": "CVE-2023-0105",
  "lastModified": "2025-04-09T14:15:27.327",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2023-01-13T06:15:11.983",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-0105"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-0105"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2018-11-13 19:29
Modified
2024-11-21 03:49
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2018:3592Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2018:3593Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2018:3595Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14657Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2018:3592Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2018:3593Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2018:3595Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14657Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak 4.2.1
redhat keycloak 4.3.0
redhat single_sign-on 7.2
redhat linux 7.0
redhat single_sign-on 7.2
redhat linux 6.0
redhat single_sign-on -


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:4.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "1CE2C1F8-8B2D-4334-ADFC-D2B67CBF0E94",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:4.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "45BFBB51-AC74-453F-B24D-2BB1E04BD410",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FABBE0BB-135A-458C-BD84-54C052FFDC57",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "29B186E5-7C2F-466E-AA4A-8F2B618F8A14",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FABBE0BB-135A-458C-BD84-54C052FFDC57",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2DFA94D5-0139-490C-8257-0751FE9FBAE4",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures."
    },
    {
      "lang": "es",
      "value": "Se ha descubierto un error en Keycloak 4.2.1.Final y 4.3.0.Final. Cuando TOPT est\u00e1 habilitado, la implementaci\u00f3n incorrecta del algoritmo de detecci\u00f3n de fuerza bruta no aplica sus medidas de protecci\u00f3n."
    }
  ],
  "id": "CVE-2018-14657",
  "lastModified": "2024-11-21T03:49:31.560",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-11-13T19:29:00.337",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:3592"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:3593"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:3595"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14657"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:3592"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:3593"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2018:3595"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14657"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-307"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-307"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2019-07-29 12:15
Modified
2024-11-21 04:26
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
References
cve@mitre.orghttp://seclists.org/fulldisclosure/2022/Mar/23Mailing List, Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHBA-2019:2824Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:2743Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:2858Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:2935Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:2936Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:2937Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:2938Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:2998Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:3044Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:3045Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:3046Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:3050Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:3149Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:3200Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:3292Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:3297Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2019:3901Third Party Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2020:0727Third Party Advisory
cve@mitre.orghttps://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2Patch, Third Party Advisory
cve@mitre.orghttps://github.com/FasterXML/jackson-databind/issues/2387Issue Tracking, Patch, Third Party Advisory
cve@mitre.orghttps://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69%40%3Ccommits.tinkerpop.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815%40%3Cissues.iceberg.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb%40%3Ccommits.pulsar.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d%40%3Cissues.iceberg.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf%40%3Cissues.iceberg.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f%40%3Cissues.iceberg.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54%40%3Cissues.iceberg.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17%40%3Cissues.iceberg.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d%40%3Cissues.iceberg.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f%40%3Ccommits.ambari.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a%40%3Ccommits.ambari.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
cve@mitre.orghttps://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
cve@mitre.orghttps://lists.debian.org/debian-lts-announce/2019/08/msg00011.htmlMailing List, Third Party Advisory
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/
cve@mitre.orghttps://security.netapp.com/advisory/ntap-20190814-0001/Third Party Advisory
cve@mitre.orghttps://support.apple.com/kb/HT213189Third Party Advisory
cve@mitre.orghttps://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
cve@mitre.orghttps://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory
cve@mitre.orghttps://www.oracle.com/security-alerts/cpujan2020.htmlThird Party Advisory
cve@mitre.orghttps://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
cve@mitre.orghttps://www.oracle.com/security-alerts/cpuoct2020.htmlPatch, Third Party Advisory
cve@mitre.orghttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2022/Mar/23Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHBA-2019:2824Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2743Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2858Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2935Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2936Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2937Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2938Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:2998Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3044Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3045Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3046Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3050Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3149Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3200Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3292Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3297Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2019:3901Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2020:0727Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/FasterXML/jackson-databind/issues/2387Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69%40%3Ccommits.tinkerpop.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815%40%3Cissues.iceberg.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb%40%3Ccommits.pulsar.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d%40%3Cissues.iceberg.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf%40%3Cissues.iceberg.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f%40%3Cissues.iceberg.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54%40%3Cissues.iceberg.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17%40%3Cissues.iceberg.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d%40%3Cissues.iceberg.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f%40%3Ccommits.ambari.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a%40%3Ccommits.ambari.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2019/08/msg00011.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20190814-0001/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://support.apple.com/kb/HT213189Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpujan2020.htmlThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpuoct2020.htmlPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlPatch, Third Party Advisory
Impacted products
Vendor Product Version
fasterxml jackson-databind *
fasterxml jackson-databind *
fasterxml jackson-databind *
fasterxml jackson-databind *
debian debian_linux 8.0
netapp active_iq_unified_manager *
netapp active_iq_unified_manager *
netapp active_iq_unified_manager *
netapp oncommand_workflow_automation -
netapp service_level_manager -
netapp snapcenter -
fedoraproject fedora 29
fedoraproject fedora 30
fedoraproject fedora 31
redhat jboss_enterprise_application_platform 7.2
redhat jboss_enterprise_application_platform 7.3
redhat openshift_container_platform 4.1
redhat single_sign-on 7.3
redhat enterprise_linux 7.0
redhat openshift_container_platform 3.11
redhat jboss_enterprise_application_platform 7.2
redhat jboss_enterprise_application_platform 7.3
redhat single_sign-on 7.3
redhat enterprise_linux 6.0
redhat jboss_enterprise_application_platform 7.2
redhat jboss_enterprise_application_platform 7.3
redhat single_sign-on 7.3
redhat enterprise_linux 8.0
oracle banking_platform 2.4.0
oracle banking_platform 2.4.1
oracle banking_platform 2.5.0
oracle banking_platform 2.6.0
oracle banking_platform 2.6.1
oracle banking_platform 2.7.0
oracle banking_platform 2.7.1
oracle communications_diameter_signaling_router 8.0.0
oracle communications_diameter_signaling_router 8.1
oracle communications_diameter_signaling_router 8.2
oracle communications_diameter_signaling_router 8.2.1
oracle communications_instant_messaging_server 10.0.1.3.0
oracle financial_services_analytical_applications_infrastructure *
oracle goldengate_stream_analytics *
oracle jd_edwards_enterpriseone_orchestrator 9.2
oracle jd_edwards_enterpriseone_tools 9.2
oracle primavera_gateway 15.2
oracle primavera_gateway 16.2
oracle primavera_gateway 17.12
oracle primavera_gateway 18.8.0
oracle primavera_unifier *
oracle primavera_unifier 16.1
oracle primavera_unifier 16.2
oracle primavera_unifier 18.8
oracle retail_customer_management_and_segmentation_foundation 17.0
oracle retail_xstore_point_of_service 7.1
oracle retail_xstore_point_of_service 15.0
oracle retail_xstore_point_of_service 16.0
oracle retail_xstore_point_of_service 17.0
oracle retail_xstore_point_of_service 18.0
oracle siebel_engineering_-_installer_\&_deployment *
oracle siebel_ui_framework *
apple xcode *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7036DA13-110D-40B3-8494-E361BBF4AFCD",
              "versionEndExcluding": "2.6.7.3",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "89660FC3-9198-414C-B89D-C61A4438BA3B",
              "versionEndExcluding": "2.7.9.6",
              "versionStartIncluding": "2.7.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5DB8A2D4-0FDE-4216-896B-52824106B97B",
              "versionEndExcluding": "2.8.11.4",
              "versionStartIncluding": "2.8.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "04641592-DAF4-47BB-A9DE-FC4C84A20401",
              "versionEndExcluding": "2.9.9.2",
              "versionStartIncluding": "2.9.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:linux:*:*",
              "matchCriteriaId": "9FBC1BD0-FF12-4691-8751-5F245D991989",
              "versionStartIncluding": "7.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*",
              "matchCriteriaId": "BD075607-09B7-493E-8611-66D041FFDA62",
              "versionStartIncluding": "7.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*",
              "matchCriteriaId": "0CB28AF5-5AF0-4475-A7B6-12E1795FFDCB",
              "versionStartIncluding": "9.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5735E553-9731-4AAC-BCFF-989377F817B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7081652A-D28B-494E-94EF-CA88117F23EE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*",
              "matchCriteriaId": "D100F7CE-FC64-4CC6-852A-6136D72DA419",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
              "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
              "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "064E7BDD-4EF0-4A0D-A38D-8C75BAFEDCEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E939A0E0-3437-459E-9FAB-FE42811B1D32",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F87326E-0B56-4356-A889-73D026DB1D4B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E939A0E0-3437-459E-9FAB-FE42811B1D32",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E939A0E0-3437-459E-9FAB-FE42811B1D32",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C2BEE49E-A5AA-42D3-B422-460454505480",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_platform:2.4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4FF66F7-10C8-4A1C-910A-EF7D12A4284C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_platform:2.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "35AD0C07-9688-4397-8D45-FBB88C0F0C11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8972497F-6E24-45A9-9A18-EB0E842CB1D4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "400509A8-D6F2-432C-A2F1-AD5B8778D0D9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "282150FF-C945-4A3E-8A80-E8757A8907EA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "645AA3D1-C8B5-4CD2-8ACE-31541FA267F0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A9317C01-22AA-452B-BBBF-5FAFFFB8BEA4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "C4534CF9-D9FD-4936-9D8C-077387028A05",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D60384BD-284C-4A68-9EEF-0FAFDF0C21F3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "FCA44E38-EB8C-4E2D-8611-B201F47520E9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD945A04-174C-46A2-935D-4F92631D1018",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "51433748-DED0-416D-8BFE-F3493E13772E",
              "versionEndIncluding": "8.0.8",
              "versionStartIncluding": "8.0.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:goldengate_stream_analytics:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4E7F2AA-B851-4D85-9895-2CDD6BE9FCB4",
              "versionEndExcluding": "19.1.0.0.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "989598A3-7012-4F57-B172-02404E20D16D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "41684398-18A4-4DC6-B8A2-3EBAA0CBF9A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "6CBFA960-D242-43ED-8D4C-A60F01B70740",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0513B305-97EF-4609-A82E-D0CDFF9925BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "61A7F6E0-A4A4-4FC3-90CB-156933CB3B9A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_gateway:18.8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "99365245-49E8-4616-BD24-CE564AC1D17E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "08FA59A8-6A62-4B33-8952-D6E658F8DAC9",
              "versionEndIncluding": "17.12",
              "versionStartIncluding": "17.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D55A54FD-7DD1-49CD-BE81-0BE73990943C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "82EB08C0-2D46-4635-88DF-E54F6452D3A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "202AD518-2E9B-4062-B063-9858AE1F9CE2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:17.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A7FBF5C7-EC73-4CE4-8CB7-E9CF5705DB25",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A0ED83E3-E6BF-4EAA-AF8F-33485A88A218",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "11DA6839-849D-4CEF-85F3-38FE75E07183",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "BCE78490-A4BE-40BD-8C72-0A4526BBD4A4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "55AE3629-4A66-49E4-A33D-6D81CC94962F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4CB39A1A-AD29-45DD-9EB5-5E2053A01B9A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:siebel_engineering_-_installer_\\\u0026_deployment:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "25993ED6-D4C7-4B68-9F87-274B757A88CC",
              "versionEndIncluding": "19.8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F10FB4D-A29B-42B4-B70E-EB82A93F2218",
              "versionEndIncluding": "19.10",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E0755E91-2F36-4EC3-8727-E8BF0427E663",
              "versionEndExcluding": "13.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution."
    },
    {
      "lang": "es",
      "value": "El archivo SubTypeValidator.java en jackson-databind de FasterXML en versiones anteriores a la 2.9.9.2 maneja inapropiadamente la escritura predeterminada cuando se usa ehcache (debido a net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), lo que conlleva a la ejecuci\u00f3n de c\u00f3digo remoto."
    }
  ],
  "id": "CVE-2019-14379",
  "lastModified": "2024-11-21T04:26:37.530",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-07-29T12:15:16.633",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2022/Mar/23"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHBA-2019:2824"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2743"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2858"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2935"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2936"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2937"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2938"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2998"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3044"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3045"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3046"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3050"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3149"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3200"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3292"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3297"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3901"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0727"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/FasterXML/jackson-databind/issues/2387"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69%40%3Ccommits.tinkerpop.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815%40%3Cissues.iceberg.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb%40%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d%40%3Cissues.iceberg.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf%40%3Cissues.iceberg.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f%40%3Cissues.iceberg.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54%40%3Cissues.iceberg.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17%40%3Cissues.iceberg.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d%40%3Cissues.iceberg.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f%40%3Ccommits.ambari.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a%40%3Ccommits.ambari.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20190814-0001/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://support.apple.com/kb/HT213189"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2022/Mar/23"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHBA-2019:2824"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2743"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2858"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2935"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2936"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2937"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2938"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:2998"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3044"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3045"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3046"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3050"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3149"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3200"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3292"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3297"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:3901"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2020:0727"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/FasterXML/jackson-databind/issues/2387"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69%40%3Ccommits.tinkerpop.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815%40%3Cissues.iceberg.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb%40%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6%40%3Cissues.iceberg.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d%40%3Cissues.iceberg.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf%40%3Cissues.iceberg.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f%40%3Cissues.iceberg.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54%40%3Cissues.iceberg.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17%40%3Cissues.iceberg.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d%40%3Cissues.iceberg.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f%40%3Ccommits.ambari.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a%40%3Ccommits.ambari.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20190814-0001/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://support.apple.com/kb/HT213189"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1321"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2019-06-12 14:29
Modified
2024-11-21 04:42
Severity ?
6.5 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle.
References
secalert@redhat.comhttp://www.securityfocus.com/bid/108748Third Party Advisory, VDB Entry
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3875Issue Tracking, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/108748Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3875Issue Tracking, Patch, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak *
redhat single_sign-on 7.3


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D7096C1E-0B43-4458-83D6-1F94061279E5",
              "versionEndExcluding": "6.0.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E939A0E0-3437-459E-9FAB-FE42811B1D32",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols (\u0027http\u0027 or \u0027ldap\u0027) and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn\u0027t validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una vulnerabilidad en keycloak versi\u00f3n anterior a 6.0.2. El autenticador X.509 admite la comprobaci\u00f3n de certificados de cliente por medio de la CRL, donde la lista CRL se puede obtener de la URL proporcionada en el certificado (CDP) o por medio de la path configurada por separado. Los CRL frecuentemente est\u00e1n disponibles por medio de la red mediante protocolos no seguros (\u0027http\u0027 o \u0027ldap\u0027) y, por lo tanto, la persona que llama debe verificar la firma y posiblemente la path de certificaci\u00f3n. Keycloak actualmente no comprueba las firmas en CRL, lo que resulta en la posibilidad de varios ataques de tipo hombre en el medio (man-in-the-middle)."
    }
  ],
  "id": "CVE-2019-3875",
  "lastModified": "2024-11-21T04:42:46.400",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-06-12T14:29:04.760",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/108748"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3875"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/108748"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3875"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        },
        {
          "lang": "en",
          "value": "CWE-345"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2023-03-29 21:15
Modified
2024-11-21 06:40
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2073157Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725Third Party Advisory
secalert@redhat.comhttps://herolab.usd.de/security-advisories/usd-2021-0033/
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2073157Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://herolab.usd.de/security-advisories/usd-2021-0033/
Impacted products
Vendor Product Version
redhat keycloak *
redhat single_sign-on -
redhat single_sign-on *
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
redhat openshift_container_platform 4.9
redhat openshift_container_platform 4.10
redhat enterprise_linux 8.0
redhat enterprise_linux_for_ibm_z_systems 8.0
redhat enterprise_linux_for_ibm_z_systems_eus 8.0
redhat enterprise_linux_for_power_little_endian 8.0
redhat enterprise_linux_for_power_little_endian_eus 8.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C041BC2A-D8E2-4C32-8CD3-CC4C624017E5",
              "versionEndExcluding": "20.0.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*",
              "matchCriteriaId": "341E6313-20D5-44CB-9719-B20585DC5AD6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A04D1D61-39A9-46A4-9245-0602F8E2B5D5",
              "versionEndExcluding": "7.6.2",
              "versionStartIncluding": "7.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "81609549-25CE-4C8A-9DE3-170D23704208",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "0595C9F8-9C7A-4FC1-B7EE-52978A1B1E93",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "87C21FE1-EA5C-498F-9C6C-D05F91A88217",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4AE1552C-9398-4952-AD8C-777DF9587043",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "47811209-5CE5-4375-8391-B0A7F6A0E420",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2FD90EA8-3C35-48E1-A3B5-FEB6E3207E62",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users."
    }
  ],
  "id": "CVE-2022-1274",
  "lastModified": "2024-11-21T06:40:23.330",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-03-29T21:15:07.853",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://herolab.usd.de/security-advisories/usd-2021-0033/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://herolab.usd.de/security-advisories/usd-2021-0033/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-80"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2024-09-10 17:15
Modified
2024-10-01 14:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.
References
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2023-6841Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2254714Issue Tracking, Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak -
redhat single_sign-on 7.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:keycloak:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6E0DE4E1-5D8D-40F3-8AC8-C7F736966158",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una vulnerabilidad de denegaci\u00f3n de servicio en keycloak, donde la cantidad de atributos por objeto no est\u00e1 limitada; un atacante al enviar solicitudes HTTP repetidas podr\u00eda causar un agotamiento de recursos cuando la aplicaci\u00f3n env\u00eda filas con valores de atributos largos."
    }
  ],
  "id": "CVE-2023-6841",
  "lastModified": "2024-10-01T14:15:05.207",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "secalert@redhat.com",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-09-10T17:15:15.170",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-6841"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254714"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-231"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2023-10-10 14:15
Modified
2025-06-11 17:29
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
References
cve@mitre.orghttp://www.openwall.com/lists/oss-security/2023/10/10/6Mailing List, Third Party Advisory
cve@mitre.orghttp://www.openwall.com/lists/oss-security/2023/10/10/7Mailing List, Third Party Advisory
cve@mitre.orghttp://www.openwall.com/lists/oss-security/2023/10/13/4Mailing List, Third Party Advisory
cve@mitre.orghttp://www.openwall.com/lists/oss-security/2023/10/13/9Mailing List, Third Party Advisory
cve@mitre.orghttp://www.openwall.com/lists/oss-security/2023/10/18/4Mailing List, Third Party Advisory
cve@mitre.orghttp://www.openwall.com/lists/oss-security/2023/10/18/8Mailing List, Third Party Advisory
cve@mitre.orghttp://www.openwall.com/lists/oss-security/2023/10/19/6Mailing List, Third Party Advisory
cve@mitre.orghttp://www.openwall.com/lists/oss-security/2023/10/20/8Mailing List, Third Party Advisory
cve@mitre.orghttps://access.redhat.com/security/cve/cve-2023-44487Vendor Advisory
cve@mitre.orghttps://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/Press/Media Coverage, Third Party Advisory
cve@mitre.orghttps://aws.amazon.com/security/security-bulletins/AWS-2023-011/Third Party Advisory
cve@mitre.orghttps://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/Technical Description, Vendor Advisory
cve@mitre.orghttps://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/Third Party Advisory, Vendor Advisory
cve@mitre.orghttps://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/Vendor Advisory
cve@mitre.orghttps://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attackPress/Media Coverage, Third Party Advisory
cve@mitre.orghttps://blog.vespa.ai/cve-2023-44487/Vendor Advisory
cve@mitre.orghttps://bugzilla.proxmox.com/show_bug.cgi?id=4988Issue Tracking, Third Party Advisory
cve@mitre.orghttps://bugzilla.redhat.com/show_bug.cgi?id=2242803Issue Tracking, Vendor Advisory
cve@mitre.orghttps://bugzilla.suse.com/show_bug.cgi?id=1216123Issue Tracking, Vendor Advisory
cve@mitre.orghttps://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9Mailing List, Patch, Vendor Advisory
cve@mitre.orghttps://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/Technical Description, Vendor Advisory
cve@mitre.orghttps://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attackTechnical Description, Vendor Advisory
cve@mitre.orghttps://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125Vendor Advisory
cve@mitre.orghttps://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715Third Party Advisory
cve@mitre.orghttps://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cveBroken Link
cve@mitre.orghttps://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764Vendor Advisory
cve@mitre.orghttps://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088Issue Tracking, Patch
cve@mitre.orghttps://github.com/Azure/AKS/issues/3947Issue Tracking
cve@mitre.orghttps://github.com/Kong/kong/discussions/11741Issue Tracking
cve@mitre.orghttps://github.com/advisories/GHSA-qppj-fm5r-hxr3Vendor Advisory
cve@mitre.orghttps://github.com/advisories/GHSA-vx74-f528-fxqgMitigation, Patch, Vendor Advisory
cve@mitre.orghttps://github.com/advisories/GHSA-xpw8-rcwv-8f8pPatch, Vendor Advisory
cve@mitre.orghttps://github.com/akka/akka-http/issues/4323Issue Tracking
cve@mitre.orghttps://github.com/alibaba/tengine/issues/1872Issue Tracking
cve@mitre.orghttps://github.com/apache/apisix/issues/10320Issue Tracking
cve@mitre.orghttps://github.com/apache/httpd-site/pull/10Issue Tracking
cve@mitre.orghttps://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113Product
cve@mitre.orghttps://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2Product, Third Party Advisory
cve@mitre.orghttps://github.com/apache/trafficserver/pull/10564Issue Tracking, Patch
cve@mitre.orghttps://github.com/arkrwn/PoC/tree/main/CVE-2023-44487Vendor Advisory
cve@mitre.orghttps://github.com/bcdannyboy/CVE-2023-44487Third Party Advisory
cve@mitre.orghttps://github.com/caddyserver/caddy/issues/5877Issue Tracking, Vendor Advisory
cve@mitre.orghttps://github.com/caddyserver/caddy/releases/tag/v2.7.5Release Notes, Third Party Advisory
cve@mitre.orghttps://github.com/dotnet/announcements/issues/277Issue Tracking, Mitigation, Vendor Advisory
cve@mitre.orghttps://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73Product, Release Notes
cve@mitre.orghttps://github.com/eclipse/jetty.project/issues/10679Issue Tracking
cve@mitre.orghttps://github.com/envoyproxy/envoy/pull/30055Issue Tracking, Patch
cve@mitre.orghttps://github.com/etcd-io/etcd/issues/16740Issue Tracking, Patch
cve@mitre.orghttps://github.com/facebook/proxygen/pull/466Issue Tracking, Patch
cve@mitre.orghttps://github.com/golang/go/issues/63417Issue Tracking
cve@mitre.orghttps://github.com/grpc/grpc-go/pull/6703Issue Tracking, Patch
cve@mitre.orghttps://github.com/grpc/grpc/releases/tag/v1.59.2Mailing List
cve@mitre.orghttps://github.com/h2o/h2o/pull/3291Issue Tracking, Patch
cve@mitre.orghttps://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqfVendor Advisory
cve@mitre.orghttps://github.com/haproxy/haproxy/issues/2312Issue Tracking
cve@mitre.orghttps://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244Product
cve@mitre.orghttps://github.com/junkurihara/rust-rpxy/issues/97Issue Tracking
cve@mitre.orghttps://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1Patch
cve@mitre.orghttps://github.com/kazu-yamamoto/http2/issues/93Issue Tracking
cve@mitre.orghttps://github.com/kubernetes/kubernetes/pull/121120Issue Tracking, Patch
cve@mitre.orghttps://github.com/line/armeria/pull/5232Issue Tracking, Patch
cve@mitre.orghttps://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632Patch
cve@mitre.orghttps://github.com/micrictor/http2-rst-streamExploit, Third Party Advisory
cve@mitre.orghttps://github.com/microsoft/CBL-Mariner/pull/6381Issue Tracking, Patch
cve@mitre.orghttps://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61Patch
cve@mitre.orghttps://github.com/nghttp2/nghttp2/pull/1961Issue Tracking, Patch
cve@mitre.orghttps://github.com/nghttp2/nghttp2/releases/tag/v1.57.0Release Notes
cve@mitre.orghttps://github.com/ninenines/cowboy/issues/1615Issue Tracking
cve@mitre.orghttps://github.com/nodejs/node/pull/50121Issue Tracking
cve@mitre.orghttps://github.com/openresty/openresty/issues/930Issue Tracking
cve@mitre.orghttps://github.com/opensearch-project/data-prepper/issues/3474Issue Tracking, Patch
cve@mitre.orghttps://github.com/oqtane/oqtane.framework/discussions/3367Issue Tracking
cve@mitre.orghttps://github.com/projectcontour/contour/pull/5826Issue Tracking, Patch
cve@mitre.orghttps://github.com/tempesta-tech/tempesta/issues/1986Issue Tracking
cve@mitre.orghttps://github.com/varnishcache/varnish-cache/issues/3996Issue Tracking
cve@mitre.orghttps://groups.google.com/g/golang-announce/c/iNNxDTCjZvoMailing List, Release Notes, Vendor Advisory
cve@mitre.orghttps://istio.io/latest/news/security/istio-security-2023-004/Vendor Advisory
cve@mitre.orghttps://linkerd.io/2023/10/12/linkerd-cve-2023-44487/Vendor Advisory
cve@mitre.orghttps://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87qMailing List
cve@mitre.orghttps://lists.debian.org/debian-lts-announce/2023/10/msg00020.htmlMailing List, Third Party Advisory
cve@mitre.orghttps://lists.debian.org/debian-lts-announce/2023/10/msg00023.htmlMailing List
cve@mitre.orghttps://lists.debian.org/debian-lts-announce/2023/10/msg00024.htmlMailing List
cve@mitre.orghttps://lists.debian.org/debian-lts-announce/2023/10/msg00045.htmlMailing List
cve@mitre.orghttps://lists.debian.org/debian-lts-announce/2023/10/msg00047.htmlMailing List
cve@mitre.orghttps://lists.debian.org/debian-lts-announce/2023/11/msg00001.htmlMailing List
cve@mitre.orghttps://lists.debian.org/debian-lts-announce/2023/11/msg00012.htmlMailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/Mailing List
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/Mailing List
cve@mitre.orghttps://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.htmlMailing List, Third Party Advisory
cve@mitre.orghttps://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.htmlMailing List, Patch, Third Party Advisory
cve@mitre.orghttps://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.htmlThird Party Advisory
cve@mitre.orghttps://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/Patch, Vendor Advisory
cve@mitre.orghttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487Mitigation, Patch, Vendor Advisory
cve@mitre.orghttps://my.f5.com/manage/s/article/K000137106Vendor Advisory
cve@mitre.orghttps://netty.io/news/2023/10/10/4-1-100-Final.htmlRelease Notes, Vendor Advisory
cve@mitre.orghttps://news.ycombinator.com/item?id=37830987Issue Tracking
cve@mitre.orghttps://news.ycombinator.com/item?id=37830998Issue Tracking, Press/Media Coverage
cve@mitre.orghttps://news.ycombinator.com/item?id=37831062Issue Tracking
cve@mitre.orghttps://news.ycombinator.com/item?id=37837043Issue Tracking
cve@mitre.orghttps://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/Third Party Advisory
cve@mitre.orghttps://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffectedThird Party Advisory
cve@mitre.orghttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZVendor Advisory
cve@mitre.orghttps://security.gentoo.org/glsa/202311-09Third Party Advisory
cve@mitre.orghttps://security.netapp.com/advisory/ntap-20231016-0001/Third Party Advisory
cve@mitre.orghttps://security.netapp.com/advisory/ntap-20240426-0007/Third Party Advisory
cve@mitre.orghttps://security.netapp.com/advisory/ntap-20240621-0006/Exploit, Third Party Advisory
cve@mitre.orghttps://security.netapp.com/advisory/ntap-20240621-0007/Third Party Advisory
cve@mitre.orghttps://security.paloaltonetworks.com/CVE-2023-44487Vendor Advisory
cve@mitre.orghttps://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14Release Notes
cve@mitre.orghttps://ubuntu.com/security/CVE-2023-44487Vendor Advisory
cve@mitre.orghttps://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/Third Party Advisory
cve@mitre.orghttps://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487Third Party Advisory, US Government Resource
cve@mitre.orghttps://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-eventPress/Media Coverage, Third Party Advisory
cve@mitre.orghttps://www.debian.org/security/2023/dsa-5521Mailing List, Vendor Advisory
cve@mitre.orghttps://www.debian.org/security/2023/dsa-5522Mailing List, Vendor Advisory
cve@mitre.orghttps://www.debian.org/security/2023/dsa-5540Mailing List, Third Party Advisory
cve@mitre.orghttps://www.debian.org/security/2023/dsa-5549Mailing List, Third Party Advisory
cve@mitre.orghttps://www.debian.org/security/2023/dsa-5558Mailing List, Third Party Advisory
cve@mitre.orghttps://www.debian.org/security/2023/dsa-5570Third Party Advisory
cve@mitre.orghttps://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487Third Party Advisory, Vendor Advisory
cve@mitre.orghttps://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/Vendor Advisory
cve@mitre.orghttps://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/Mitigation, Vendor Advisory
cve@mitre.orghttps://www.openwall.com/lists/oss-security/2023/10/10/6Mailing List, Third Party Advisory
cve@mitre.orghttps://www.phoronix.com/news/HTTP2-Rapid-Reset-AttackPress/Media Coverage
cve@mitre.orghttps://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/Press/Media Coverage, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2023/10/13/4Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2023/10/13/9Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2023/10/18/4Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2023/10/18/8Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2023/10/19/6Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2023/10/20/8Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/cve-2023-44487Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/Press/Media Coverage, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://aws.amazon.com/security/security-bulletins/AWS-2023-011/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/Technical Description, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/Third Party Advisory, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attackPress/Media Coverage, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://blog.vespa.ai/cve-2023-44487/Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.proxmox.com/show_bug.cgi?id=4988Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2242803Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.suse.com/show_bug.cgi?id=1216123Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9Mailing List, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/Technical Description, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attackTechnical Description, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cveBroken Link
af854a3a-2127-422b-91ae-364da2661108https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/Azure/AKS/issues/3947Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/Kong/kong/discussions/11741Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/advisories/GHSA-qppj-fm5r-hxr3Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/advisories/GHSA-vx74-f528-fxqgMitigation, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/advisories/GHSA-xpw8-rcwv-8f8pPatch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/akka/akka-http/issues/4323Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/alibaba/tengine/issues/1872Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/apache/apisix/issues/10320Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/apache/httpd-site/pull/10Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113Product
af854a3a-2127-422b-91ae-364da2661108https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2Product, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/apache/trafficserver/pull/10564Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/bcdannyboy/CVE-2023-44487Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/caddyserver/caddy/issues/5877Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/caddyserver/caddy/releases/tag/v2.7.5Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/dotnet/announcements/issues/277Issue Tracking, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73Product, Release Notes
af854a3a-2127-422b-91ae-364da2661108https://github.com/eclipse/jetty.project/issues/10679Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/envoyproxy/envoy/pull/30055Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/etcd-io/etcd/issues/16740Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/facebook/proxygen/pull/466Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/golang/go/issues/63417Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/grpc/grpc-go/pull/6703Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/h2o/h2o/pull/3291Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqfVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/haproxy/haproxy/issues/2312Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244Product
af854a3a-2127-422b-91ae-364da2661108https://github.com/junkurihara/rust-rpxy/issues/97Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/kazu-yamamoto/http2/issues/93Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/kubernetes/kubernetes/pull/121120Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/line/armeria/pull/5232Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/micrictor/http2-rst-streamExploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/microsoft/CBL-Mariner/pull/6381Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/nghttp2/nghttp2/pull/1961Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0Release Notes
af854a3a-2127-422b-91ae-364da2661108https://github.com/ninenines/cowboy/issues/1615Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/nodejs/node/pull/50121Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/openresty/openresty/issues/930Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/opensearch-project/data-prepper/issues/3474Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/oqtane/oqtane.framework/discussions/3367Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/projectcontour/contour/pull/5826Issue Tracking, Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/tempesta-tech/tempesta/issues/1986Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://github.com/varnishcache/varnish-cache/issues/3996Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://groups.google.com/g/golang-announce/c/iNNxDTCjZvoMailing List, Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://istio.io/latest/news/security/istio-security-2023-004/Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87qMailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2023/10/msg00020.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2023/10/msg00023.htmlMailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2023/10/msg00024.htmlMailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2023/10/msg00045.htmlMailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2023/10/msg00047.htmlMailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2023/11/msg00001.htmlMailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2023/11/msg00012.htmlMailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/Mailing List
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.htmlMailing List, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.htmlThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487Mitigation, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://my.f5.com/manage/s/article/K000137106Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://netty.io/news/2023/10/10/4-1-100-Final.htmlRelease Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://news.ycombinator.com/item?id=37830987Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://news.ycombinator.com/item?id=37830998Issue Tracking, Press/Media Coverage
af854a3a-2127-422b-91ae-364da2661108https://news.ycombinator.com/item?id=37831062Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://news.ycombinator.com/item?id=37837043Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffectedThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.gentoo.org/glsa/202311-09Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20231016-0001/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20240426-0007/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20240621-0006/Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20240621-0007/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.paloaltonetworks.com/CVE-2023-44487Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14Release Notes
af854a3a-2127-422b-91ae-364da2661108https://ubuntu.com/security/CVE-2023-44487Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-eventPress/Media Coverage, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2023/dsa-5521Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2023/dsa-5522Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2023/dsa-5540Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2023/dsa-5549Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2023/dsa-5558Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2023/dsa-5570Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487Third Party Advisory, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.openwall.com/lists/oss-security/2023/10/10/6Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.phoronix.com/news/HTTP2-Rapid-Reset-AttackPress/Media Coverage
af854a3a-2127-422b-91ae-364da2661108https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/Press/Media Coverage, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-causeThird Party Advisory
Impacted products
Vendor Product Version
ietf http 2.0
nghttp2 nghttp2 *
netty netty *
envoyproxy envoy 1.24.10
envoyproxy envoy 1.25.9
envoyproxy envoy 1.26.4
envoyproxy envoy 1.27.0
eclipse jetty *
eclipse jetty *
eclipse jetty *
eclipse jetty *
caddyserver caddy *
golang go *
golang go *
golang http2 *
golang networking *
f5 big-ip_access_policy_manager *
f5 big-ip_access_policy_manager *
f5 big-ip_access_policy_manager *
f5 big-ip_access_policy_manager *
f5 big-ip_access_policy_manager 17.1.0
f5 big-ip_advanced_firewall_manager *
f5 big-ip_advanced_firewall_manager *
f5 big-ip_advanced_firewall_manager *
f5 big-ip_advanced_firewall_manager *
f5 big-ip_advanced_firewall_manager 17.1.0
f5 big-ip_advanced_web_application_firewall *
f5 big-ip_advanced_web_application_firewall *
f5 big-ip_advanced_web_application_firewall *
f5 big-ip_advanced_web_application_firewall *
f5 big-ip_advanced_web_application_firewall 17.1.0
f5 big-ip_analytics *
f5 big-ip_analytics *
f5 big-ip_analytics *
f5 big-ip_analytics *
f5 big-ip_analytics 17.1.0
f5 big-ip_application_acceleration_manager *
f5 big-ip_application_acceleration_manager *
f5 big-ip_application_acceleration_manager *
f5 big-ip_application_acceleration_manager *
f5 big-ip_application_acceleration_manager 17.1.0
f5 big-ip_application_security_manager *
f5 big-ip_application_security_manager *
f5 big-ip_application_security_manager *
f5 big-ip_application_security_manager *
f5 big-ip_application_security_manager 17.1.0
f5 big-ip_application_visibility_and_reporting *
f5 big-ip_application_visibility_and_reporting *
f5 big-ip_application_visibility_and_reporting *
f5 big-ip_application_visibility_and_reporting *
f5 big-ip_application_visibility_and_reporting 17.1.0
f5 big-ip_carrier-grade_nat *
f5 big-ip_carrier-grade_nat *
f5 big-ip_carrier-grade_nat *
f5 big-ip_carrier-grade_nat *
f5 big-ip_carrier-grade_nat 17.1.0
f5 big-ip_ddos_hybrid_defender *
f5 big-ip_ddos_hybrid_defender *
f5 big-ip_ddos_hybrid_defender *
f5 big-ip_ddos_hybrid_defender *
f5 big-ip_ddos_hybrid_defender 17.1.0
f5 big-ip_domain_name_system *
f5 big-ip_domain_name_system *
f5 big-ip_domain_name_system *
f5 big-ip_domain_name_system *
f5 big-ip_domain_name_system 17.1.0
f5 big-ip_fraud_protection_service *
f5 big-ip_fraud_protection_service *
f5 big-ip_fraud_protection_service *
f5 big-ip_fraud_protection_service *
f5 big-ip_fraud_protection_service 17.1.0
f5 big-ip_global_traffic_manager *
f5 big-ip_global_traffic_manager *
f5 big-ip_global_traffic_manager *
f5 big-ip_global_traffic_manager *
f5 big-ip_global_traffic_manager 17.1.0
f5 big-ip_link_controller *
f5 big-ip_link_controller *
f5 big-ip_link_controller *
f5 big-ip_link_controller *
f5 big-ip_link_controller 17.1.0
f5 big-ip_local_traffic_manager *
f5 big-ip_local_traffic_manager *
f5 big-ip_local_traffic_manager *
f5 big-ip_local_traffic_manager *
f5 big-ip_local_traffic_manager 17.1.0
f5 big-ip_next 20.0.1
f5 big-ip_next_service_proxy_for_kubernetes *
f5 big-ip_policy_enforcement_manager *
f5 big-ip_policy_enforcement_manager *
f5 big-ip_policy_enforcement_manager *
f5 big-ip_policy_enforcement_manager *
f5 big-ip_policy_enforcement_manager 17.1.0
f5 big-ip_ssl_orchestrator *
f5 big-ip_ssl_orchestrator *
f5 big-ip_ssl_orchestrator *
f5 big-ip_ssl_orchestrator *
f5 big-ip_ssl_orchestrator 17.1.0
f5 big-ip_webaccelerator *
f5 big-ip_webaccelerator *
f5 big-ip_webaccelerator *
f5 big-ip_webaccelerator *
f5 big-ip_webaccelerator 17.1.0
f5 big-ip_websafe *
f5 big-ip_websafe *
f5 big-ip_websafe *
f5 big-ip_websafe *
f5 big-ip_websafe 17.1.0
f5 nginx *
f5 nginx_ingress_controller *
f5 nginx_ingress_controller *
f5 nginx_plus *
f5 nginx_plus r29
f5 nginx_plus r30
apache tomcat *
apache tomcat *
apache tomcat *
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apple swiftnio_http\/2 *
grpc grpc *
grpc grpc *
grpc grpc *
grpc grpc 1.57.0
microsoft .net *
microsoft .net *
microsoft asp.net_core *
microsoft asp.net_core *
microsoft azure_kubernetes_service *
microsoft visual_studio_2022 *
microsoft visual_studio_2022 *
microsoft visual_studio_2022 *
microsoft visual_studio_2022 *
microsoft windows_10_1607 *
microsoft windows_10_1607 *
microsoft windows_10_1809 *
microsoft windows_10_21h2 *
microsoft windows_10_22h2 *
microsoft windows_11_21h2 *
microsoft windows_11_22h2 *
microsoft windows_server_2016 -
microsoft windows_server_2019 -
microsoft windows_server_2022 -
nodejs node.js *
nodejs node.js *
microsoft cbl-mariner *
dena h2o *
facebook proxygen *
apache apisix *
apache traffic_server *
apache traffic_server *
amazon opensearch_data_prepper *
debian debian_linux 10.0
debian debian_linux 11.0
debian debian_linux 12.0
kazu-yamamoto http2 *
istio istio *
istio istio *
istio istio *
varnish_cache_project varnish_cache *
traefik traefik *
traefik traefik 3.0.0
traefik traefik 3.0.0
traefik traefik 3.0.0
projectcontour contour *
linkerd linkerd *
linkerd linkerd 2.13.0
linkerd linkerd 2.13.1
linkerd linkerd 2.14.0
linkerd linkerd 2.14.1
linecorp armeria *
redhat 3scale_api_management_platform 2.0
redhat advanced_cluster_management_for_kubernetes 2.0
redhat advanced_cluster_security 3.0
redhat advanced_cluster_security 4.0
redhat ansible_automation_platform 2.0
redhat build_of_optaplanner 8.0
redhat build_of_quarkus -
redhat ceph_storage 5.0
redhat cert-manager_operator_for_red_hat_openshift -
redhat certification_for_red_hat_enterprise_linux 8.0
redhat certification_for_red_hat_enterprise_linux 9.0
redhat cost_management -
redhat cryostat 2.0
redhat decision_manager 7.0
redhat fence_agents_remediation_operator -
redhat integration_camel_for_spring_boot -
redhat integration_camel_k -
redhat integration_service_registry -
redhat jboss_a-mq 7
redhat jboss_a-mq_streams -
redhat jboss_core_services -
redhat jboss_data_grid 7.0.0
redhat jboss_enterprise_application_platform 6.0.0
redhat jboss_enterprise_application_platform 7.0.0
redhat jboss_fuse 6.0.0
redhat jboss_fuse 7.0.0
redhat logging_subsystem_for_red_hat_openshift -
redhat machine_deletion_remediation_operator -
redhat migration_toolkit_for_applications 6.0
redhat migration_toolkit_for_containers -
redhat migration_toolkit_for_virtualization -
redhat network_observability_operator -
redhat node_healthcheck_operator -
redhat node_maintenance_operator -
redhat openshift -
redhat openshift_api_for_data_protection -
redhat openshift_container_platform 4.0
redhat openshift_container_platform_assisted_installer -
redhat openshift_data_science -
redhat openshift_dev_spaces -
redhat openshift_developer_tools_and_services -
redhat openshift_distributed_tracing -
redhat openshift_gitops -
redhat openshift_pipelines -
redhat openshift_sandboxed_containers -
redhat openshift_secondary_scheduler_operator -
redhat openshift_serverless -
redhat openshift_service_mesh 2.0
redhat openshift_virtualization 4
redhat openstack_platform 16.1
redhat openstack_platform 16.2
redhat openstack_platform 17.1
redhat process_automation 7.0
redhat quay 3.0.0
redhat run_once_duration_override_operator -
redhat satellite 6.0
redhat self_node_remediation_operator -
redhat service_interconnect 1.0
redhat single_sign-on 7.0
redhat support_for_spring_boot -
redhat web_terminal -
redhat enterprise_linux 6.0
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
redhat service_telemetry_framework 1.5
redhat enterprise_linux 8.0
fedoraproject fedora 37
fedoraproject fedora 38
netapp astra_control_center -
netapp oncommand_insight -
akka http_server *
konghq kong_gateway *
jenkins jenkins *
jenkins jenkins *
apache solr *
openresty openresty *
cisco business_process_automation *
cisco connected_mobile_experiences *
cisco crosswork_data_gateway *
cisco crosswork_data_gateway *
cisco crosswork_situation_manager -
cisco crosswork_zero_touch_provisioning *
cisco data_center_network_manager -
cisco enterprise_chat_and_email -
cisco expressway *
cisco firepower_threat_defense *
cisco iot_field_network_director *
cisco prime_access_registrar *
cisco prime_cable_provisioning *
cisco prime_infrastructure *
cisco prime_network_registrar *
cisco secure_dynamic_attributes_connector *
cisco secure_malware_analytics *
cisco telepresence_video_communication_server *
cisco ultra_cloud_core_-_policy_control_function *
cisco ultra_cloud_core_-_policy_control_function 2024.01.0
cisco ultra_cloud_core_-_serving_gateway_function *
cisco ultra_cloud_core_-_session_management_function *
cisco unified_attendant_console_advanced -
cisco unified_contact_center_domain_manager -
cisco unified_contact_center_enterprise -
cisco unified_contact_center_enterprise_-_live_data_server *
cisco unified_contact_center_management_portal -
cisco fog_director *
cisco ios_xe *
cisco ios_xr *
cisco secure_web_appliance_firmware *
cisco secure_web_appliance -
cisco nx-os *
cisco nx-os *
cisco nx-os *
cisco nexus_3016 -
cisco nexus_3016q -
cisco nexus_3048 -
cisco nexus_3064 -
cisco nexus_3064-32t -
cisco nexus_3064-t -
cisco nexus_3064-x -
cisco nexus_3064t -
cisco nexus_3064x -
cisco nexus_3100 -
cisco nexus_3100-v -
cisco nexus_3100-z -
cisco nexus_3100v -
cisco nexus_31108pc-v -
cisco nexus_31108pv-v -
cisco nexus_31108tc-v -
cisco nexus_31128pq -
cisco nexus_3132c-z -
cisco nexus_3132q -
cisco nexus_3132q-v -
cisco nexus_3132q-x -
cisco nexus_3132q-x\/3132q-xl -
cisco nexus_3132q-xl -
cisco nexus_3164q -
cisco nexus_3172 -
cisco nexus_3172pq -
cisco nexus_3172pq-xl -
cisco nexus_3172pq\/pq-xl -
cisco nexus_3172tq -
cisco nexus_3172tq-32t -
cisco nexus_3172tq-xl -
cisco nexus_3200 -
cisco nexus_3232 -
cisco nexus_3232c -
cisco nexus_3232c_ -
cisco nexus_3264c-e -
cisco nexus_3264q -
cisco nexus_3400 -
cisco nexus_3408-s -
cisco nexus_34180yc -
cisco nexus_34200yc-sm -
cisco nexus_3432d-s -
cisco nexus_3464c -
cisco nexus_3500 -
cisco nexus_3524 -
cisco nexus_3524-x -
cisco nexus_3524-x\/xl -
cisco nexus_3524-xl -
cisco nexus_3548 -
cisco nexus_3548-x -
cisco nexus_3548-x\/xl -
cisco nexus_3548-xl -
cisco nexus_3600 -
cisco nexus_36180yc-r -
cisco nexus_3636c-r -
cisco nx-os *
cisco nx-os *
cisco nx-os *
cisco nexus_9000v -
cisco nexus_9200 -
cisco nexus_9200yc -
cisco nexus_92160yc-x -
cisco nexus_92160yc_switch -
cisco nexus_9221c -
cisco nexus_92300yc -
cisco nexus_92300yc_switch -
cisco nexus_92304qc -
cisco nexus_92304qc_switch -
cisco nexus_9232e -
cisco nexus_92348gc-x -
cisco nexus_9236c -
cisco nexus_9236c_switch -
cisco nexus_9272q -
cisco nexus_9272q_switch -
cisco nexus_9300 -
cisco nexus_93108tc-ex -
cisco nexus_93108tc-ex-24 -
cisco nexus_93108tc-ex_switch -
cisco nexus_93108tc-fx -
cisco nexus_93108tc-fx-24 -
cisco nexus_93108tc-fx3h -
cisco nexus_93108tc-fx3p -
cisco nexus_93120tx -
cisco nexus_93120tx_switch -
cisco nexus_93128 -
cisco nexus_93128tx -
cisco nexus_93128tx_switch -
cisco nexus_9316d-gx -
cisco nexus_93180lc-ex -
cisco nexus_93180lc-ex_switch -
cisco nexus_93180tc-ex -
cisco nexus_93180yc-ex -
cisco nexus_93180yc-ex-24 -
cisco nexus_93180yc-ex_switch -
cisco nexus_93180yc-fx -
cisco nexus_93180yc-fx-24 -
cisco nexus_93180yc-fx3 -
cisco nexus_93180yc-fx3h -
cisco nexus_93180yc-fx3s -
cisco nexus_93216tc-fx2 -
cisco nexus_93240tc-fx2 -
cisco nexus_93240yc-fx2 -
cisco nexus_9332c -
cisco nexus_9332d-gx2b -
cisco nexus_9332d-h2r -
cisco nexus_9332pq -
cisco nexus_9332pq_switch -
cisco nexus_93360yc-fx2 -
cisco nexus_9336c-fx2 -
cisco nexus_9336c-fx2-e -
cisco nexus_9336pq -
cisco nexus_9336pq_aci -
cisco nexus_9336pq_aci_spine -
cisco nexus_9336pq_aci_spine_switch -
cisco nexus_9348d-gx2a -
cisco nexus_9348gc-fx3 -
cisco nexus_9348gc-fxp -
cisco nexus_93600cd-gx -
cisco nexus_9364c -
cisco nexus_9364c-gx -
cisco nexus_9364d-gx2a -
cisco nexus_9372px -
cisco nexus_9372px-e -
cisco nexus_9372px-e_switch -
cisco nexus_9372px_switch -
cisco nexus_9372tx -
cisco nexus_9372tx-e -
cisco nexus_9372tx-e_switch -
cisco nexus_9372tx_switch -
cisco nexus_9396px -
cisco nexus_9396px_switch -
cisco nexus_9396tx -
cisco nexus_9396tx_switch -
cisco nexus_9408 -
cisco nexus_9432pq -
cisco nexus_9500 -
cisco nexus_9500_16-slot -
cisco nexus_9500_4-slot -
cisco nexus_9500_8-slot -
cisco nexus_9500_supervisor_a -
cisco nexus_9500_supervisor_a\+ -
cisco nexus_9500_supervisor_b -
cisco nexus_9500_supervisor_b\+ -
cisco nexus_9500r -
cisco nexus_9504 -
cisco nexus_9504_switch -
cisco nexus_9508 -
cisco nexus_9508_switch -
cisco nexus_9516 -
cisco nexus_9516_switch -
cisco nexus_9536pq -
cisco nexus_9636pq -
cisco nexus_9716d-gx -
cisco nexus_9736pq -
cisco nexus_9800 -
cisco nexus_9804 -
cisco nexus_9808 -


To clipboard 

{
  "cisaActionDue": "2023-10-31",
  "cisaExploitAdd": "2023-10-10",
  "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
  "cisaVulnerabilityName": "HTTP/2 Rapid Reset Attack Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ietf:http:2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5200E35-222B-42E0-83E0-5B702684D992",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nghttp2:nghttp2:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C3BDC297-F023-4E87-8518-B84CCF9DD6A8",
              "versionEndExcluding": "1.57.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D12D5257-7ED2-400F-9EF7-40E0D3650C2B",
              "versionEndExcluding": "4.1.100",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:envoyproxy:envoy:1.24.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "1B058776-B5B7-4079-B0AF-23F40926DCEC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:envoyproxy:envoy:1.25.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "6D565975-EFD9-467C-B6E3-1866A4EF17A4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:envoyproxy:envoy:1.26.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "6D487271-1B5E-4F16-B0CB-A7B8908935C6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:envoyproxy:envoy:1.27.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "BA6ED627-EFB3-4BDD-8ECC-C5947A1470B2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A4A6F189-6C43-462D-85C9-B0EBDA8A4683",
              "versionEndExcluding": "9.4.53",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C993C920-85C0-4181-A95E-5D965A670738",
              "versionEndExcluding": "10.0.17",
              "versionStartIncluding": "10.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "08E79A8E-E12C-498F-AF4F-1AAA7135661E",
              "versionEndExcluding": "11.0.17",
              "versionStartIncluding": "11.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F138D800-9A3B-4C76-8A3C-4793083A1517",
              "versionEndExcluding": "12.0.2",
              "versionStartIncluding": "12.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6341DDDA-AD27-4087-9D59-0A212F0037B4",
              "versionEndExcluding": "2.7.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "328120E4-C031-44B4-9BE5-03B0CDAA066F",
              "versionEndExcluding": "1.20.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5FD9AB15-E5F6-4DBC-9EC7-D0ABA705802A",
              "versionEndExcluding": "1.21.3",
              "versionStartIncluding": "1.21.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:golang:http2:*:*:*:*:*:go:*:*",
              "matchCriteriaId": "D7D2F801-6F65-4705-BCB9-D057EA54A707",
              "versionEndExcluding": "0.17.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:golang:networking:*:*:*:*:*:go:*:*",
              "matchCriteriaId": "801F25DA-F38C-4452-8E90-235A3B1A5FF0",
              "versionEndExcluding": "0.17.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D93F04AD-DF14-48AB-9F13-8B2E491CF42E",
              "versionEndIncluding": "13.1.5",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7522C760-7E07-406F-BF50-5656D5723C4F",
              "versionEndIncluding": "14.1.5",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3A7F605E-EB10-40FB-98D6-7E3A95E310BC",
              "versionEndIncluding": "15.1.10",
              "versionStartIncluding": "15.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "783E62F2-F867-48F1-B123-D1227C970674",
              "versionEndIncluding": "16.1.4",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0A8D90B7-A1AF-4EFB-B688-1563D81E5C6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6603ED6A-3366-4572-AFCD-B3D4B1EC7606",
              "versionEndIncluding": "13.1.5",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "88978E38-81D3-4EFE-8525-A300B101FA69",
              "versionEndIncluding": "14.1.5",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0510296F-92D7-4388-AE3A-0D9799C2FC4D",
              "versionEndIncluding": "15.1.10",
              "versionStartIncluding": "15.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D7698D6C-B1F7-43C1-BBA6-88E956356B3D",
              "versionEndIncluding": "16.1.4",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1A1CC91B-6920-4AF0-9EDD-DD3189E78F4D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "05E452AA-A520-4CBE-8767-147772B69194",
              "versionEndIncluding": "13.1.5",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "596FC5D5-7329-4E39-841E-CAE937C02219",
              "versionEndIncluding": "14.1.5",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B3C7A168-F370-441E-8790-73014BCEC39F",
              "versionEndIncluding": "15.1.10",
              "versionStartIncluding": "15.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CF16FD01-7704-40AB-ACB2-80A883804D22",
              "versionEndIncluding": "16.1.4",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1769D69A-CB59-46B1-89B3-FB97DC6DEB9B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9167FEC1-2C37-4946-9657-B4E69301FB24",
              "versionEndIncluding": "13.1.5",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7B4B3442-E0C0-48CD-87AD-060E15C9801E",
              "versionEndIncluding": "14.1.5",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8FA85EC1-D91A-49DD-949B-2AF7AC813CA5",
              "versionEndIncluding": "15.1.10",
              "versionStartIncluding": "15.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "20662BB0-4C3D-4CF0-B068-3555C65DD06C",
              "versionEndIncluding": "16.1.4",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_analytics:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "59203EBF-C52A-45A1-B8DF-00E17E3EFB51",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7EC2324D-EC8B-41DF-88A7-819E53AAD0FC",
              "versionEndIncluding": "13.1.5",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9B88F9D1-B54B-40C7-A18A-26C4A071D7EC",
              "versionEndIncluding": "14.1.5",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C8F39403-C259-4D6F-9E9A-53671017EEDB",
              "versionEndIncluding": "15.1.10",
              "versionStartIncluding": "15.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "220F2D38-FA82-45EF-B957-7678C9FEDBC1",
              "versionEndIncluding": "16.1.4",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C698C1C-A3DD-46E2-B05A-12F2604E7F85",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "922AA845-530A-4B4B-9976-4CBC30C8A324",
              "versionEndIncluding": "13.1.5",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F938EB43-8373-47EB-B269-C6DF058A9244",
              "versionEndIncluding": "14.1.5",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1771493E-ACAA-477F-8AB4-25DB12F6AD6E",
              "versionEndIncluding": "15.1.10",
              "versionStartIncluding": "15.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5E86F3D5-65A4-48CE-A6A2-736BBB88E3F8",
              "versionEndIncluding": "16.1.4",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "87670A74-34FE-45DF-A725-25B804C845B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7E422F6-C4C2-43AC-B137-0997B5739030",
              "versionEndIncluding": "13.1.5",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC3F710F-DBCB-4976-9719-CF063DA22377",
              "versionEndIncluding": "14.1.5",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4B9B76A1-7C5A-453F-A4ED-F1A81BCEBEB5",
              "versionEndIncluding": "15.1.10",
              "versionStartIncluding": "15.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "88EDFCD9-775C-48FA-9CDA-2B04DA8D0612",
              "versionEndIncluding": "16.1.4",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "67DB21AE-DF53-442D-B492-C4ED9A20B105",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C9FCBCB-9CE0-49E7-85C8-69E71D211912",
              "versionEndIncluding": "13.1.5",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "112DFA85-90AD-478D-BD70-8C7C0C074F1B",
              "versionEndIncluding": "14.1.5",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DB704A1C-D8B7-48BB-A15A-C14DB591FE4A",
              "versionEndIncluding": "15.1.10",
              "versionStartIncluding": "15.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "21D51D9F-2840-4DEA-A007-D20111A1745C",
              "versionEndIncluding": "16.1.4",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7BC1D037-74D2-4F92-89AD-C90F6CBF440B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CAEF3EA4-7D5A-4B44-9CE3-258AEC745866",
              "versionEndIncluding": "13.1.5",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2FBCE2D1-9D93-415D-AB2C-2060307C305A",
              "versionEndIncluding": "14.1.5",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8070B469-8CC4-4D2F-97D7-12D0ABB963C1",
              "versionEndIncluding": "15.1.10",
              "versionStartIncluding": "15.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A326597E-725D-45DE-BEF7-2ED92137B253",
              "versionEndIncluding": "16.1.4",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7B235A78-649B-46C5-B24B-AB485A884654",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "08B25AAB-A98C-4F89-9131-29E3A8C0ED23",
              "versionEndIncluding": "13.1.5",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "ED9B976A-D3AD-4445-BF8A-067C3EBDFBB0",
              "versionEndIncluding": "14.1.5",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "98D2CE1E-DED0-470A-AA78-C78EF769C38E",
              "versionEndIncluding": "15.1.10",
              "versionStartIncluding": "15.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C966FABA-7199-4F0D-AB8C-4590FE9D2FFF",
              "versionEndIncluding": "16.1.4",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_domain_name_system:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "84D00768-E71B-4FF7-A7BF-F2C8CFBC900D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E3D2ABA3-D4A9-4267-B0DF-7C3BBEEAEB66",
              "versionEndIncluding": "13.1.5",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BC36311E-BB00-4750-85C8-51F5A2604F07",
              "versionEndIncluding": "14.1.5",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A65D357E-4B40-42EC-9AAA-2B6CEF78C401",
              "versionEndIncluding": "15.1.10",
              "versionStartIncluding": "15.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D7EF9865-FE65-4DFB-BF21-62FBCE65FF1C",
              "versionEndIncluding": "16.1.4",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_fraud_protection_service:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "ABBD10E8-6054-408F-9687-B9BF6375CA09",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E6018B01-048C-43BB-A78D-66910ED60CA9",
              "versionEndIncluding": "13.1.5",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3A6A5686-5A8B-45D5-9165-BC99D2CCAC47",
              "versionEndIncluding": "14.1.5",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5D2A121F-5BD2-4263-8ED3-1DDE25B5C306",
              "versionEndIncluding": "15.1.10",
              "versionStartIncluding": "15.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0A4F7BAD-3EDD-4DE0-AAB7-DE5ACA34DD79",
              "versionEndIncluding": "16.1.4",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "83794B04-87E2-4CA9-81F5-BB820D0F5395",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D9EC2237-117F-43BD-ADEC-516CF72E04EF",
              "versionEndIncluding": "13.1.5",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F70D4B6F-65CF-48F4-9A07-072DFBCE53D9",
              "versionEndIncluding": "14.1.5",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "29563719-1AF2-4BB8-8CCA-A0869F87795D",
              "versionEndIncluding": "15.1.10",
              "versionStartIncluding": "15.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D24815DD-579A-46D1-B9F2-3BB2C56BC54D",
              "versionEndIncluding": "16.1.4",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_link_controller:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0A6E7035-3299-474F-8F67-945EA9A059D0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0360F76D-E75E-4B05-A294-B47012323ED9",
              "versionEndIncluding": "13.1.5",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7A4607BF-41AC-4E84-A110-74E085FF0445",
              "versionEndIncluding": "14.1.5",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "441CC945-7CA3-49C0-AE10-94725301E31D",
              "versionEndIncluding": "15.1.10",
              "versionStartIncluding": "15.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "46BA8E8A-6ED5-4FB2-8BBC-586AA031085A",
              "versionEndIncluding": "16.1.4",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "56FB92F7-FF1E-425D-A5AB-9D9FB0BB9450",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_next:20.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "969C4F14-F6D6-46D6-B348-FC1463877680",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_next_service_proxy_for_kubernetes:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "41AD5040-1250-45F5-AB63-63F333D49BCC",
              "versionEndIncluding": "1.8.2",
              "versionStartIncluding": "1.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8257AA59-C14D-4EC1-B22C-DFBB92CBC297",
              "versionEndIncluding": "13.1.5",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "37DB32BB-F4BA-4FB5-94B1-55C3F06749CF",
              "versionEndIncluding": "14.1.5",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FFF5007E-761C-4697-8D34-C064DF0ABE8D",
              "versionEndIncluding": "15.1.10",
              "versionStartIncluding": "15.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "910441D3-90EF-4375-B007-D51120A60AB2",
              "versionEndIncluding": "16.1.4",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "667EB77B-DA13-4BA4-9371-EE3F3A109F38",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8A6F9699-A485-4614-8F38-5A556D31617E",
              "versionEndIncluding": "13.1.5",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5A90F547-97A2-41EC-9FDF-25F869F0FA38",
              "versionEndIncluding": "14.1.5",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E76E1B82-F1DC-4366-B388-DBDF16C586A0",
              "versionEndIncluding": "15.1.10",
              "versionStartIncluding": "15.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "660137F4-15A1-42D1-BBAC-99A1D5BB398B",
              "versionEndIncluding": "16.1.4",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C446827A-1F71-4FAD-9422-580642D26AD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1932D32D-0E4B-4BBD-816F-6D47AB2E2F04",
              "versionEndIncluding": "13.1.5",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D47B7691-A95B-45C0-BAB4-27E047F3C379",
              "versionEndIncluding": "14.1.5",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2CD1637D-0E42-4928-867A-BA0FDB6E8462",
              "versionEndIncluding": "15.1.10",
              "versionStartIncluding": "15.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3A599F90-F66B-4DF0-AD7D-D234F328BD59",
              "versionEndIncluding": "16.1.4",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_webaccelerator:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3D1B2000-C3FE-4B4C-885A-A5076EB164E1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_websafe:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5326759A-AFB0-4A15-B4E9-3C9A2E5DB32A",
              "versionEndIncluding": "13.1.5",
              "versionStartIncluding": "13.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_websafe:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "57D92D05-C67D-437E-88F3-DCC3F6B0ED2F",
              "versionEndIncluding": "14.1.5",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_websafe:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "ECCB8C30-861E-4E48-A5F5-30EE523C1FB6",
              "versionEndIncluding": "15.1.10",
              "versionStartIncluding": "15.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_websafe:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F5FEAD2A-3A58-432E-BEBB-6E3FDE24395F",
              "versionEndIncluding": "16.1.4",
              "versionStartIncluding": "16.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:big-ip_websafe:17.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8AB23AE6-245E-43D6-B832-933F8259F937",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:nginx:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1188B4A9-2684-413C-83D1-E91C75AE0FCF",
              "versionEndIncluding": "1.25.2",
              "versionStartIncluding": "1.9.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3337609D-5291-4A52-BC6A-6A8D4E60EB20",
              "versionEndIncluding": "2.4.2",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6CF0ABD9-EB28-4966-8C31-EED7AFBF1527",
              "versionEndIncluding": "3.3.0",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:nginx_plus:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F291CB34-47A4-425A-A200-087CC295AEC8",
              "versionEndExcluding": "r29",
              "versionStartIncluding": "r25",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:nginx_plus:r29:-:*:*:*:*:*:*",
              "matchCriteriaId": "5892B558-EC3A-43FF-A1D5-B2D9F70796F0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:f5:nginx_plus:r30:-:*:*:*:*:*:*",
              "matchCriteriaId": "96BF2B19-52C7-4051-BA58-CAE6F912B72F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "ABD26B48-CC80-4FAE-BD3D-78DE4C80C92B",
              "versionEndIncluding": "8.5.93",
              "versionStartIncluding": "8.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F3EC20B6-B2AB-41F5-9BF9-D16C1FE67C34",
              "versionEndIncluding": "9.0.80",
              "versionStartIncluding": "9.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0765CC3D-AB1A-4147-8900-EF4C105321F2",
              "versionEndIncluding": "10.1.13",
              "versionStartIncluding": "10.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*",
              "matchCriteriaId": "D1AA7FF6-E8E7-4BF6-983E-0A99B0183008",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:*",
              "matchCriteriaId": "57088BDD-A136-45EF-A8A1-2EBF79CEC2CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:*",
              "matchCriteriaId": "B32D1D7A-A04F-444E-8F45-BB9A9E4B0199",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*",
              "matchCriteriaId": "2AAD52CE-94F5-4F98-A027-9A7E68818CB6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*",
              "matchCriteriaId": "F1F981F5-035A-4EDD-8A9F-481EE8BC7FF7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*",
              "matchCriteriaId": "03A171AF-2EC8-4422-912C-547CDB58CAAA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*",
              "matchCriteriaId": "538E68C4-0BA4-495F-AEF8-4EF6EE7963CF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:*",
              "matchCriteriaId": "49350A6E-5E1D-45B2-A874-3B8601B3ADCC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:*",
              "matchCriteriaId": "5F50942F-DF54-46C0-8371-9A476DD3EEA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:*",
              "matchCriteriaId": "D12C2C95-B79F-4AA4-8CE3-99A3EE7991AB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:*",
              "matchCriteriaId": "98792138-DD56-42DF-9612-3BDC65EEC117",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apple:swiftnio_http\\/2:*:*:*:*:*:swift:*:*",
              "matchCriteriaId": "08190072-3880-4EF5-B642-BA053090D95B",
              "versionEndExcluding": "1.28.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*",
              "matchCriteriaId": "5F4CDEA9-CB47-4881-B096-DA896E2364F3",
              "versionEndExcluding": "1.56.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:grpc:grpc:*:*:*:*:*:-:*:*",
              "matchCriteriaId": "E65AF7BC-7DAE-408A-8485-FBED22815F75",
              "versionEndIncluding": "1.59.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*",
              "matchCriteriaId": "DD868DDF-C889-4F36-B5E6-68B6D9EA48CC",
              "versionEndExcluding": "1.58.3",
              "versionStartIncluding": "1.58.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:grpc:grpc:1.57.0:-:*:*:*:go:*:*",
              "matchCriteriaId": "FBD991E2-DB5A-4AAD-95BA-4B5ACB811C96",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4496821E-BD55-4F31-AD9C-A3D66CBBD6BD",
              "versionEndExcluding": "6.0.23",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8DF7ECF6-178D-433C-AA21-BAE9EF248F37",
              "versionEndExcluding": "7.0.12",
              "versionStartIncluding": "7.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1C3418F4-B8BF-4666-BB39-C188AB01F45C",
              "versionEndExcluding": "6.0.23",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1278DD1C-EFA9-4316-AD32-24C1B1FB0CEA",
              "versionEndExcluding": "7.0.12",
              "versionStartIncluding": "7.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:azure_kubernetes_service:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3BDFB0FF-0F4A-4B7B-94E8-ED72A8106314",
              "versionEndExcluding": "2023-10-08",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "16A8F269-E07E-402F-BFD5-60F3988A5EAF",
              "versionEndExcluding": "17.2.20",
              "versionStartIncluding": "17.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C4B2B972-69E2-4D21-9A7C-B2AFF1D89EB8",
              "versionEndExcluding": "17.4.12",
              "versionStartIncluding": "17.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DA5834D4-F52F-41C0-AA11-C974FFEEA063",
              "versionEndExcluding": "17.6.8",
              "versionStartIncluding": "17.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:microsoft:visual_studio_2022:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2166106F-ACD6-4C7B-B0CC-977B83CC5F73",
              "versionEndExcluding": "17.7.5",
              "versionStartIncluding": "17.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*",
              "matchCriteriaId": "4CD49C41-6D90-47D3-AB4F-4A74169D3A8F",
              "versionEndExcluding": "10.0.14393.6351",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*",
              "matchCriteriaId": "BAEFEE13-9CD7-46A2-8AF6-0A33C79C05F1",
              "versionEndExcluding": "10.0.14393.6351",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E500D59C-6597-45E9-A57B-BE26C0C231D3",
              "versionEndExcluding": "10.0.17763.4974",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C9F9A643-90C6-489C-98A0-D2739CE72F86",
              "versionEndExcluding": "10.0.19044.3570",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1814619C-ED07-49E0-A50A-E28D824D43BC",
              "versionEndExcluding": "10.0.19045.3570",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "100A27D3-87B0-4E72-83F6-7605E3F35E63",
              "versionEndExcluding": "10.0.22000.2538",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C6A36795-0238-45C9-ABE6-3DCCF751915B",
              "versionEndExcluding": "10.0.22621.2428",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "041FF8BA-0B12-4A1F-B4BF-9C4F33B7C1E7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "DB79EE26-FC32-417D-A49C-A1A63165A968",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "821614DD-37DD-44E2-A8A4-FE8D23A33C3C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "94BAB9EB-1527-4D9A-BADE-0708579536CF",
              "versionEndExcluding": "18.18.2",
              "versionStartIncluding": "18.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "69843DE4-4721-4F0A-A9B7-0F6DF5AAA388",
              "versionEndExcluding": "20.8.1",
              "versionStartIncluding": "20.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:microsoft:cbl-mariner:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B25279EF-C406-4133-99ED-0492703E0A4E",
              "versionEndExcluding": "2023-10-11",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dena:h2o:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9FFFF84B-F35C-43DE-959A-A5D10C3AE9F5",
              "versionEndExcluding": "2023-10-10",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:facebook:proxygen:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9DCE8C89-7C22-48CA-AF22-B34C8AA2CB8C",
              "versionEndExcluding": "2023.10.16.00",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:apisix:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EDEB508E-0EBD-4450-9074-983DDF568AB4",
              "versionEndExcluding": "3.6.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "93A1A748-6C71-4191-8A16-A93E94E2CDE4",
              "versionEndExcluding": "8.1.9",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4E4BCAF6-B246-41EC-9EE1-24296BFC4F5A",
              "versionEndExcluding": "9.2.3",
              "versionStartIncluding": "9.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:amazon:opensearch_data_prepper:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F70360D-6214-46BA-AF82-6AB01E13E4E9",
              "versionEndExcluding": "2.5.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:kazu-yamamoto:http2:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E2DA759E-1AF8-49D3-A3FC-1B426C13CA82",
              "versionEndExcluding": "4.2.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "28BE6F7B-AE66-4C8A-AAFA-F1262671E9BF",
              "versionEndExcluding": "1.17.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0C8E760-C8D2-483A-BBD4-6A6D292A3874",
              "versionEndExcluding": "1.18.3",
              "versionStartIncluding": "1.18.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5D0F78BB-6A05-4C97-A8DB-E731B6CC8CC7",
              "versionEndExcluding": "1.19.1",
              "versionStartIncluding": "1.19.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:varnish_cache_project:varnish_cache:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "050AE218-3871-44D6-94DA-12D84C2093CB",
              "versionEndExcluding": "2023-10-10",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:traefik:traefik:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B36BFFB0-C0EC-4926-A1DB-0B711C846A68",
              "versionEndExcluding": "2.10.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:traefik:traefik:3.0.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "376EAF9B-E994-4268-9704-0A45EA30270F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:traefik:traefik:3.0.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "F3D08335-C291-4623-B80C-3B14C4D1FA32",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:traefik:traefik:3.0.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "21033CEE-CEF5-4B0D-A565-4A6FC764AA6D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:projectcontour:contour:*:*:*:*:*:kubernetes:*:*",
              "matchCriteriaId": "FC4C66B1-42C0-495D-AE63-2889DE0BED84",
              "versionEndExcluding": "2023-10-11",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:linkerd:linkerd:*:*:*:*:stable:kubernetes:*:*",
              "matchCriteriaId": "8633E263-F066-4DD8-A734-90207207A873",
              "versionEndIncluding": "2.12.5",
              "versionStartIncluding": "2.12.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linkerd:linkerd:2.13.0:*:*:*:stable:kubernetes:*:*",
              "matchCriteriaId": "34A23BD9-A0F4-4D85-8011-EAC93C29B4E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linkerd:linkerd:2.13.1:*:*:*:stable:kubernetes:*:*",
              "matchCriteriaId": "27ED3533-A795-422F-B923-68BE071DC00D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linkerd:linkerd:2.14.0:*:*:*:stable:kubernetes:*:*",
              "matchCriteriaId": "45F7E352-3208-4188-A5B1-906E00DF9896",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:linkerd:linkerd:2.14.1:*:*:*:stable:kubernetes:*:*",
              "matchCriteriaId": "DF89A8AD-66FE-439A-B732-CAAB304D765B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:linecorp:armeria:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A400C637-AF18-4BEE-B57C-145261B65DEC",
              "versionEndExcluding": "1.26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:3scale_api_management_platform:2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "653A5B08-0D02-4362-A8B1-D00B24C6C6F2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:advanced_cluster_management_for_kubernetes:2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4B0E6B4B-BAA6-474E-A18C-72C9719CEC1F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:advanced_cluster_security:3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0FD736A-8730-446A-BA3A-7B608DB62B0E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:advanced_cluster_security:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4C504B6-3902-46E2-82B7-48AEC9CDD48D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:ansible_automation_platform:2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7B4BE2D6-43C3-4065-A213-5DB1325DC78F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:build_of_optaplanner:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1D54F5AE-61EC-4434-9D5F-9394A3979894",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "CE29B9D6-63DC-4779-ACE8-4E51E6A0AF37",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:ceph_storage:5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4E37E1B3-6F68-4502-85D6-68333643BDFF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:cert-manager_operator_for_red_hat_openshift:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6D5A7736-A403-4617-8790-18E46CB74DA6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:certification_for_red_hat_enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "33F13B03-69BF-4A8B-A0A0-7F47FD857461",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:certification_for_red_hat_enterprise_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9393119E-F018-463F-9548-60436F104195",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:cost_management:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC45EE1E-2365-42D4-9D55-92FA24E5ED3A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:cryostat:2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E567CD9F-5A43-4D25-B911-B5D0440698F4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "68146098-58F8-417E-B165-5182527117C4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:fence_agents_remediation_operator:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "CB4D6790-63E5-4043-B8BE-B489D649061D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:integration_camel_for_spring_boot:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "78698F40-0777-4990-822D-02E1B5D0E2C0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B87C8AD3-8878-4546-86C2-BF411876648C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:integration_service_registry:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF03BDE8-602D-4DEE-BA5B-5B20FDF47741",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_a-mq:7:*:*:*:*:*:*:*",
              "matchCriteriaId": "A58966CB-36AF-4E64-AB39-BE3A0753E155",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_a-mq_streams:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "585BC540-073B-425B-B664-5EA4C00AFED6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_core_services:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "9B453CF7-9AA6-4B94-A003-BF7AE0B82F53",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD354E32-A8B0-484C-B4C6-9FBCD3430D2D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B142ACCC-F7A9-4A3B-BE60-0D6691D5058D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A305F012-544E-4245-9D69-1C8CD37748B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:logging_subsystem_for_red_hat_openshift:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF93A27E-AA2B-4C2E-9B8D-FE7267847326",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:machine_deletion_remediation_operator:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "2B12A3A8-6456-481A-A0C9-524543FCC149",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:migration_toolkit_for_applications:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3C2E7E3C-A507-4AB2-97E5-4944D8775CF7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:migration_toolkit_for_containers:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4E22EBF9-AA0D-4712-9D69-DD97679CE835",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:migration_toolkit_for_virtualization:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "941B114C-FBD7-42FF-B1D8-4EA30E99102C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:network_observability_operator:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "339CFB34-A795-49F9-BF6D-A00F3A1A4F63",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:node_healthcheck_operator:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "8D044DBE-6F5A-4C53-828E-7B1A570CACFF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:node_maintenance_operator:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "E23FA47F-B967-44AD-AB76-1BB2CAD3CA5B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift:-:*:*:*:*:aws:*:*",
              "matchCriteriaId": "65203CA1-5225-4E55-A187-6454C091F532",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_api_for_data_protection:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7BF8EFFB-5686-4F28-A68F-1A8854E098CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_container_platform_assisted_installer:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5DA9B2E2-958B-478D-87D6-E5CDDCD44315",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_data_science:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B3F5FF1E-5DA3-4EC3-B41A-A362BDFC4C69",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_dev_spaces:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "99B8A88B-0B31-4CFF-AFD7-C9D3DDD5790D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_developer_tools_and_services:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "97321212-0E07-4CC2-A917-7B5F61AB9A5A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_distributed_tracing:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "DF390236-3259-4C8F-891C-62ACC4386CD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_gitops:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "C0AAA300-691A-4957-8B69-F6888CC971B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_pipelines:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "45937289-2D64-47CB-A750-5B4F0D4664A0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_sandboxed_containers:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B129311C-EB4B-4041-B85C-44D5E53FCAA3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_secondary_scheduler_operator:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1AB54DB-3FB4-41CB-88ED-1400FD22AB85",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_serverless:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "77675CB7-67D7-44E9-B7FF-D224B3341AA5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_service_mesh:2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A76A2BCE-4AAE-46D7-93D6-2EDE0FC83145",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openshift_virtualization:4:*:*:*:*:*:*:*",
              "matchCriteriaId": "9C877879-B84B-471C-80CF-0656521CA8AB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "DCC81071-B46D-4F5D-AC25-B4A4CCC20C73",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "4B3000D2-35DF-4A93-9FC0-1AD3AB8349B8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:openstack_platform:17.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "E315FC5C-FF19-43C9-A58A-CF2A5FF13824",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "20A6B40D-F991-4712-8E30-5FE008505CB7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B1987BDA-0113-4603-B9BE-76647EB043F2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:run_once_duration_override_operator:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D482A3D2-6E9B-42BA-9926-35E5BDD5F3BF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:satellite:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "848C92A9-0677-442B-8D52-A448F2019903",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:self_node_remediation_operator:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6F564701-EDC1-43CF-BB9F-287D6992C6CB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:service_interconnect:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "12B0CF2B-D1E1-4E20-846E-6F0D873499A9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:support_for_spring_boot:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "E8885C2C-7FB8-40CA-BCB9-B48C50BF2499",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:web_terminal:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "9D88B140-D2A1-4A0A-A2E9-1A3B50C295AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:service_telemetry_framework:1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "A903C3AD-2D25-45B5-BF4A-A5BEB2286627",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
              "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:astra_control_center:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "EC5EBD2A-32A3-46D5-B155-B44DCB7F6902",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:akka:http_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C2792650-851F-4820-B003-06A4BEA092D7",
              "versionEndExcluding": "10.5.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:konghq:kong_gateway:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "9F6B63B9-F4C9-4A3F-9310-E0918E1070D1",
              "versionEndExcluding": "3.4.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*",
              "matchCriteriaId": "E6FF5F80-A991-43D4-B49F-D843E2BC5798",
              "versionEndIncluding": "2.414.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "54D25DA9-12D0-4F14-83E6-C69D0293AAB9",
              "versionEndIncluding": "2.427",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8E1AFFB9-C717-4727-B0C9-5A0C281710E2",
              "versionEndExcluding": "9.4.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openresty:openresty:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "25C85001-E0AB-4B01-8EE7-1D9C77CD956E",
              "versionEndExcluding": "1.21.4.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:cisco:business_process_automation:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FB2BDBAC-8D19-4F81-8D31-6D0955A53D82",
              "versionEndExcluding": "3.2.003.009",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:connected_mobile_experiences:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F98F9D27-6659-413F-8F29-4FDB0882AAC5",
              "versionEndExcluding": "11.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:crosswork_data_gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C98BF315-C563-47C2-BAD1-63347A3D1008",
              "versionEndExcluding": "4.1.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:crosswork_data_gateway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3F30E209-FA52-4D3B-9B88-4193EA388554",
              "versionEndExcluding": "5.0.2",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:crosswork_situation_manager:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "3178F3A5-A072-44E1-A225-B04BC536F4FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:crosswork_zero_touch_provisioning:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AA2BE0F1-DD16-4876-8EBA-F187BD38B159",
              "versionEndExcluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:data_center_network_manager:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "796B6C58-2140-4105-A2A1-69865A194A75",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:enterprise_chat_and_email:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEA99DC6-EA03-469F-A8BE-7F96FDF0B333",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:expressway:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6560DBF4-AFE6-4672-95DE-74A0B8F4170A",
              "versionEndExcluding": "x14.3.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "84785919-796D-41E5-B652-6B5765C81D4A",
              "versionEndExcluding": "7.4.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:iot_field_network_director:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "92A74A1A-C69F-41E6-86D0-D6BB1C5D0A1E",
              "versionEndExcluding": "4.11.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:prime_access_registrar:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6FE7BA33-2AC0-4A85-97AD-6D77F20BA2AD",
              "versionEndExcluding": "9.3.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:prime_cable_provisioning:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4FE2F959-1084-48D1-B1F1-8182FC9862DD",
              "versionEndExcluding": "7.2.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:prime_infrastructure:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5CC17E6B-D7AB-40D7-AEC5-F5B555AC4D7F",
              "versionEndExcluding": "3.10.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:prime_network_registrar:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1BB6B48E-EA36-40A0-96D0-AF909BEC1147",
              "versionEndExcluding": "11.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:secure_dynamic_attributes_connector:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2CBED844-7F94-498C-836D-8593381A9657",
              "versionEndExcluding": "2.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:secure_malware_analytics:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C170DBA1-0899-4ECC-9A0D-8FEB1DA1B510",
              "versionEndExcluding": "2.19.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:telepresence_video_communication_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "358FA1DC-63D3-49F6-AC07-9E277DD0D9DA",
              "versionEndExcluding": "x14.3.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:ultra_cloud_core_-_policy_control_function:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BFF2D182-7599-4B81-B56B-F44EDA1384C0",
              "versionEndExcluding": "2024.01.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:ultra_cloud_core_-_policy_control_function:2024.01.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4868BCCA-24DE-4F24-A8AF-B3A545C0396E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:ultra_cloud_core_-_serving_gateway_function:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "194F7A1F-FD43-4FF7-9AE2-C13AA5567E8A",
              "versionEndExcluding": "2024.02.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:ultra_cloud_core_-_session_management_function:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BEC75F99-C7F0-47EB-9032-C9D3A42EBA20",
              "versionEndExcluding": "2024.02.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:unified_attendant_console_advanced:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B6638F4E-16F7-447D-B755-52640BCB1C61",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:unified_contact_center_domain_manager:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC34F742-530E-4AB4-8AFC-D1E088E256B4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:unified_contact_center_enterprise:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D31CC0E9-8E21-436B-AB84-EA1B1BC60DCD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:unified_contact_center_enterprise_-_live_data_server:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E22AD683-345B-4E16-BB9E-E9B1783E09AD",
              "versionEndExcluding": "12.6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:cisco:unified_contact_center_management_portal:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5C0D694-9E24-4782-B35F-D7C3E3B0F2ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:fog_director:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2955BEE9-F567-4006-B96D-92E10FF84DB4",
              "versionEndExcluding": "1.22",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:ios_xe:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "67502878-DB20-4410-ABA0-A1C5705064CD",
              "versionEndExcluding": "17.15.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:ios_xr:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "177DED2D-8089-4494-BDD9-7F84FC06CD5B",
              "versionEndExcluding": "7.11.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:cisco:secure_web_appliance_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "54A29FD3-4128-4333-8445-A7DD04A6ECF6",
              "versionEndExcluding": "15.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:cisco:secure_web_appliance:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "67074526-9933-46B3-9FE3-A0BE73C5E8A7",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:cisco:nx-os:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EEB32D2E-AD9D-44A0-AEF7-689F7D2605C9",
              "versionEndExcluding": "10.2\\(7\\)",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:nx-os:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0A236A0A-6956-4D79-B8E5-B2D0C79FAE88",
              "versionEndExcluding": "10.3\\(5\\)",
              "versionStartIncluding": "10.3\\(1\\)",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:nx-os:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BE71D34C-227A-4789-BA4D-79E5FDE311DB",
              "versionEndExcluding": "10.4\\(2\\)",
              "versionStartIncluding": "10.4\\(1\\)",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3016:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "528ED62B-D739-4E06-AC64-B506FD73BBAB",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3016q:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "2D402AB0-BCFB-4F42-8C50-5DC930AEEC8B",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3048:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "FC2A6C31-438A-4CF5-A3F3-364B1672EB7D",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3064:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "76C10D85-88AC-4A79-8866-BED88A0F8DF8",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3064-32t:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "09AC2BAD-F536-48D0-A2F0-D4E290519EB6",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3064-t:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "65CB7F6D-A82B-4A31-BFAC-FF4A4B8DF9C1",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3064-x:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "ECC4FFCC-E886-49BC-9737-5B5BA2AAB14B",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3064t:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5F4E8EE4-031D-47D3-A12E-EE5F792172EE",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3064x:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "00CDD8C3-67D5-4E9F-9D48-A77B55DB0AB1",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3100:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "41C14CC9-C244-4B86-AEA6-C50BAD5DA9A6",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3100-v:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A8FF2EC4-0C09-4C00-9956-A2A4A894F63D",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3100-z:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D14D4B4E-120E-4607-A4F1-447C7BF3052E",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3100v:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "15702ACB-29F3-412D-8805-E107E0729E35",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_31108pc-v:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4E930332-CDDD-48D5-93BC-C22D693BBFA2",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_31108pv-v:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "29B34855-D8D2-4114-80D2-A4D159C62458",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_31108tc-v:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7BF4B8FE-E134-4491-B5C2-C1CFEB64731B",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_31128pq:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4226DA0-9371-401C-8247-E6E636A116C3",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3132c-z:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7664666F-BCE4-4799-AEEA-3A73E6AD33F4",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3132q:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D3DBBFE9-835C-4411-8492-6006E74BAC65",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3132q-v:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B3293438-3D18-45A2-B093-2C3F65783336",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3132q-x:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "C97C29EE-9426-4BBE-8D84-AB5FF748703D",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3132q-x\\/3132q-xl:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "E142C18F-9FB5-4D96-866A-141D7D16CAF7",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3132q-xl:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "8F43B770-D96C-44EA-BC12-9F39FC4317B9",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3164q:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA782EB3-E8E6-4DCF-B39C-B3CBD46E4384",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3172:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7817F4E6-B2DA-4F06-95A4-AF329F594C02",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3172pq:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "CED628B5-97A8-4B26-AA40-BEC854982157",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3172pq-xl:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7BB9DD73-E31D-4921-A6D6-E14E04703588",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3172pq\\/pq-xl:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "8EFC116A-627F-4E05-B631-651D161217C8",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3172tq:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4532F513-0543-4960-9877-01F23CA7BA1B",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3172tq-32t:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "0B43502B-FD53-465A-B60F-6A359C6ACD99",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3172tq-xl:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F3229124-B097-4AAC-8ACD-2F9C89DCC3AB",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3200:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "32A532C0-B0E3-484A-B356-88970E7D0248",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3232:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "1C84D24C-2256-42AF-898A-221EBE9FE1E4",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3232c:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "652A2849-668D-4156-88FB-C19844A59F33",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3232c_:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D008CA1C-6F5A-40EA-BB12-A9D84D5AF700",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3264c-e:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "24FBE87B-8A4F-43A8-98A3-4A7D9C630937",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3264q:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6ACD09AC-8B28-4ACB-967B-AB3D450BC137",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3400:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "43913A0E-50D5-47DD-94D8-DD3391633619",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3408-s:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7D397349-CCC6-479B-9273-FB1FFF4F34F2",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_34180yc:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC7286A7-780F-4A45-940A-4AD5C9D0F201",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_34200yc-sm:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "CA52D5C1-13D8-4D23-B022-954CCEF491F1",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3432d-s:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5F7AF8D7-431B-43CE-840F-CC0817D159C0",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3464c:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "DAC204C8-1A5A-4E85-824E-DC9B8F6A802D",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3500:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A8E1073F-D374-4311-8F12-AD8C72FAA293",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3524:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAF5AF71-15DF-4151-A1CF-E138A7103FC8",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3524-x:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "10F80A72-AD54-4699-B8AE-82715F0B58E2",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3524-x\\/xl:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "E505C0B1-2119-4C6A-BF96-C282C633D169",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3524-xl:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "9354B6A2-D7D6-442E-BF4C-FE8A336D9E94",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3548:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "088C0323-683A-44F5-8D42-FF6EC85D080E",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3548-x:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "74CB4002-7636-4382-B33E-FBA060A13C34",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3548-x\\/xl:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "915EF8F6-6039-4DD0-B875-30D911752B74",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3548-xl:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "10CEBF73-3EE0-459A-86C5-F8F6243FE27C",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3600:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "97217080-455C-48E4-8CE1-6D5B9485864F",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_36180yc-r:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "95D2C4C3-65CE-4612-A027-AF70CEFC3233",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3636c-r:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "57572E4A-78D5-4D1A-938B-F05F01759612",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:cisco:nx-os:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EEB32D2E-AD9D-44A0-AEF7-689F7D2605C9",
              "versionEndExcluding": "10.2\\(7\\)",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:nx-os:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0A236A0A-6956-4D79-B8E5-B2D0C79FAE88",
              "versionEndExcluding": "10.3\\(5\\)",
              "versionStartIncluding": "10.3\\(1\\)",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:nx-os:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BE71D34C-227A-4789-BA4D-79E5FDE311DB",
              "versionEndExcluding": "10.4\\(2\\)",
              "versionStartIncluding": "10.4\\(1\\)",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9000v:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "0CD9C1F1-8582-4F67-A77D-97CBFECB88B8",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9200:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "532CE4B0-A3C9-4613-AAAF-727817D06FB4",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9200yc:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "24CA1A59-2681-4507-AC74-53BD481099B9",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_92160yc-x:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4283E433-7F8C-4410-B565-471415445811",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_92160yc_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "AF9147C9-5D8B-40F5-9AAA-66A3495A0AD8",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9221c:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "FFB9FDE8-8533-4F65-BF32-4066D042B2F7",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_92300yc:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F80AB6FB-32FD-43D7-A9F1-80FA47696210",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_92300yc_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "3AA5389A-8AD1-476E-983A-54DF573C30F5",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_92304qc:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5B2E4C1-2627-4B9D-8E92-4B483F647651",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_92304qc_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "C1B1A8F1-45B1-4E64-A254-7191FA93CB6D",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9232e:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "83DA8BFA-D7A2-476C-A6F5-CAE610033BC2",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_92348gc-x:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "557ED31C-C26A-4FAE-8B14-D06B49F7F08B",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9236c:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "11411BFD-3F4D-4309-AB35-A3629A360FB0",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9236c_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "DB2FFD26-8255-4351-8594-29D2AEFC06EF",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9272q:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "E663DE91-C86D-48DC-B771-FA72A8DF7A7C",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9272q_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "61E10975-B47E-4F4D-8096-AEC7B7733612",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9300:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "92E2CB2B-DA11-4CF7-9D57-3D4D48990DC0",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93108tc-ex:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A90184B3-C82F-4CE5-B2AD-97D5E4690871",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93108tc-ex-24:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "40E40F42-632A-47DF-BE33-DC25B826310B",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93108tc-ex_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "2C67B7A6-9BB2-41FC-8FA3-8D0DF67CBC68",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93108tc-fx:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4AB89849-6DA4-4C9D-BC3F-EE0E41FD1901",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93108tc-fx-24:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "C47F6BF9-2ADB-41A4-8D7D-8BB00141BB23",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93108tc-fx3h:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "16C64136-89C2-443C-AF7B-BED81D3DE25A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93108tc-fx3p:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "BBEF7F26-BB47-44BD-872E-130820557C23",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93120tx:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "07DE6F63-2C7D-415B-8C34-01EC05C062F3",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93120tx_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "182000E0-8204-4D8B-B7DE-B191AFE12E28",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93128:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F309E7B9-B828-4CD2-9D2B-8966EE5B9CC1",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93128tx:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F423E45D-A6DD-4305-9C6A-EAB26293E53A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93128tx_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "BDC208BC-7E19-48C6-A20E-A79A51B7362C",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9316d-gx:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "102F91CD-DFB6-43D4-AE5B-DA157A696230",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93180lc-ex:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "E952A96A-0F48-4357-B7DD-1127D8827650",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93180lc-ex_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "084D0191-563B-4FF0-B589-F35DA118E1C6",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93180tc-ex:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B7DB6FC5-762A-4F16-AE8C-69330EFCF640",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93180yc-ex:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F70D81F1-8B12-4474-9060-B4934D8A3873",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93180yc-ex-24:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5394DE31-3863-4CA9-B7B1-E5227183100D",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93180yc-ex_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "968390BC-B430-4903-B614-13104BFAE635",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93180yc-fx:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7349D69B-D8FA-4462-AA28-69DD18A652D9",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93180yc-fx-24:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "FE4BB834-2C00-4384-A78E-AF3BCDDC58AF",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93180yc-fx3:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0D30D52-837F-4FDA-B8E5-A9066E9C6D2F",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93180yc-fx3h:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "E6678B8A-D905-447E-BE7E-6BFB4CC5DAFE",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93180yc-fx3s:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7CE49B45-F2E9-491D-9C29-1B46E9CE14E2",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93216tc-fx2:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B1CC5F78-E88B-4B82-9E3E-C73D3A49DE26",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93240tc-fx2:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4BFAD21E-59EE-4CCE-8F1E-621D2EA50905",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93240yc-fx2:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "91231DC6-2773-4238-8C14-A346F213B5E5",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9332c:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "2DF88547-BAF4-47B0-9F60-80A30297FCEB",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9332d-gx2b:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "02C3CE6D-BD54-48B1-A188-8E53DA001424",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9332d-h2r:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "498991F7-39D6-428C-8C7D-DD8DC72A0346",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9332pq:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "113772B6-E9D2-4094-9468-3F4E1A87D07D",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9332pq_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F7B90D36-5124-4669-8462-4EAF35B0F53D",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93360yc-fx2:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "C45A38D6-BED6-4FEF-AD87-A1E813695DE0",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9336c-fx2:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1FC2B1F-232E-4754-8076-CC82F3648730",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9336c-fx2-e:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7CDD27C9-5EAF-4956-8AB7-740C84C9D4FC",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9336pq:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5F1127D2-12C0-454F-91EF-5EE334070D06",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9336pq_aci:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7D6EB963-E0F2-4A02-8765-AB2064BE19E9",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9336pq_aci_spine:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "785FD17C-F32E-4042-9DDE-A89B3AAE0334",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9336pq_aci_spine_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEAAF99B-5406-4722-81FB-A91CBAC2DF41",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9348d-gx2a:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "73DC1E93-561E-490C-AE0E-B02BAB9A7C8E",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9348gc-fx3:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "12DA2DE5-8ADA-4D6A-BC1A-9C06FA163B1C",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9348gc-fxp:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "17C7E3DB-8E1A-47AD-B1C5-61747DC0CFB9",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_93600cd-gx:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "2CF467E2-4567-426E-8F48-39669E0F514C",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9364c:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "63842B25-8C32-4988-BBBD-61E9CB09B4F3",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9364c-gx:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "68EA1FEF-B6B6-49FE-A0A4-5387F76303F8",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9364d-gx2a:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "40D6DB7F-C025-4971-9615-73393ED61078",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9372px:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4364ADB9-8162-451D-806A-B98924E6B2CF",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9372px-e:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B53BCB42-ED61-4FCF-8068-CB467631C63C",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9372px-e_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "737C724A-B6CD-4FF7-96E0-EBBF645D660E",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9372px_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7067AEC7-DFC8-4437-9338-C5165D9A8F36",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9372tx:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "49E0371B-FDE2-473C-AA59-47E1269D050F",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9372tx-e:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "489D11EC-5A18-4F32-BC7C-AC1FCEC27222",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9372tx-e_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "71D4CF15-B293-4403-A1A9-96AD3933BAEF",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9372tx_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "DBCC1515-2DBE-4DF2-8E83-29A869170F36",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9396px:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "1BC5293E-F2B4-46DC-85DA-167EA323FCFD",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9396px_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7282AAFF-ED18-4992-AC12-D953C35EC328",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9396tx:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA022E77-6557-4A33-9A3A-D028E2DB669A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9396tx_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "360409CC-4172-4878-A76B-EA1C1F8C7A79",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9408:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D8D5D5E2-B40B-475D-9EF3-8441016E37E9",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9432pq:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "FDA8E1F0-74A6-4725-B6AA-A1112EFC5D0C",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9500:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "63BE0266-1C00-4D6A-AD96-7F82532ABAA7",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9500_16-slot:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "73F59A4B-AE92-4533-8EDC-D1DD850309FF",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9500_4-slot:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "492A2C86-DD38-466B-9965-77629A73814F",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9500_8-slot:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "1FB7AA46-4018-4925-963E-719E1037F759",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9500_supervisor_a:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "31B9D1E4-10B9-4B6F-B848-D93ABF6486D6",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9500_supervisor_a\\+:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "CB270C45-756E-400A-979F-D07D750C881A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9500_supervisor_b:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4E8A085C-2DBA-4269-AB01-B16019FBB4DA",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9500_supervisor_b\\+:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A79DD582-AF68-44F1-B640-766B46EF2BE2",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9500r:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B04484DA-AA59-4833-916E-6A8C96D34F0D",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9504:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "768BE390-5ED5-48A7-9E80-C4DE8BA979B1",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9504_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D07B5399-44C7-468D-9D57-BB5B5E26CE50",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9508:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "DDC2F709-AFBE-48EA-A3A2-DA1134534FB6",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9508_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B76FB64F-16F0-4B0B-B304-B46258D434BA",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9516:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7E02DC82-0D26-436F-BA64-73C958932B0A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9516_switch:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "2E128053-834B-4DD5-A517-D14B4FC2B56F",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9536pq:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "163743A1-09E7-4EC5-8ECA-79E4B9CE173B",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9636pq:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "CE340E4C-DC48-4FC8-921B-EE304DB5AE0A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9716d-gx:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "C367BBE0-D71F-4CB5-B50E-72B033E73FE1",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9736pq:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "85E1D224-4751-4233-A127-A041068C804A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9800:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "BD31B075-01B1-429E-83F4-B999356A0EB9",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9804:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "A10C9C0A-C96A-4B45-90D0-6ED457EB5F4C",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9808:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "3284D16F-3275-4F8D-8AE4-D413DE19C4FA",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023."
    },
    {
      "lang": "es",
      "value": "El protocolo HTTP/2 permite una denegaci\u00f3n de servicio (consumo de recursos del servidor) porque la cancelaci\u00f3n de solicitudes puede restablecer muchas transmisiones r\u00e1pidamente, como se explot\u00f3 en la naturaleza entre agosto y octubre de 2023."
    }
  ],
  "id": "CVE-2023-44487",
  "lastModified": "2025-06-11T17:29:54.137",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2023-10-10T14:15:10.883",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/10/10/6"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/10/10/7"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/cve-2023-44487"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Press/Media Coverage",
        "Third Party Advisory"
      ],
      "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Technical Description",
        "Vendor Advisory"
      ],
      "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory",
        "Vendor Advisory"
      ],
      "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Press/Media Coverage",
        "Third Party Advisory"
      ],
      "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://blog.vespa.ai/cve-2023-44487/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Technical Description",
        "Vendor Advisory"
      ],
      "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Technical Description",
        "Vendor Advisory"
      ],
      "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Broken Link"
      ],
      "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/Azure/AKS/issues/3947"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/Kong/kong/discussions/11741"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mitigation",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/akka/akka-http/issues/4323"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/alibaba/tengine/issues/1872"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/apache/apisix/issues/10320"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/apache/httpd-site/pull/10"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product",
        "Third Party Advisory"
      ],
      "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/apache/trafficserver/pull/10564"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/bcdannyboy/CVE-2023-44487"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://github.com/caddyserver/caddy/issues/5877"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/dotnet/announcements/issues/277"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/eclipse/jetty.project/issues/10679"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/envoyproxy/envoy/pull/30055"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/etcd-io/etcd/issues/16740"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/facebook/proxygen/pull/466"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/golang/go/issues/63417"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/grpc/grpc-go/pull/6703"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://github.com/grpc/grpc/releases/tag/v1.59.2"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/h2o/h2o/pull/3291"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/haproxy/haproxy/issues/2312"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/junkurihara/rust-rpxy/issues/97"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/kazu-yamamoto/http2/issues/93"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/kubernetes/kubernetes/pull/121120"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/line/armeria/pull/5232"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/micrictor/http2-rst-stream"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/microsoft/CBL-Mariner/pull/6381"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/nghttp2/nghttp2/pull/1961"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/ninenines/cowboy/issues/1615"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/nodejs/node/pull/50121"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/openresty/openresty/issues/930"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/opensearch-project/data-prepper/issues/3474"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/oqtane/oqtane.framework/discussions/3367"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/projectcontour/contour/pull/5826"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/tempesta-tech/tempesta/issues/1986"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/varnishcache/varnish-cache/issues/3996"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://istio.io/latest/news/security/istio-security-2023-004/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mitigation",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://my.f5.com/manage/s/article/K000137106"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://news.ycombinator.com/item?id=37830987"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Press/Media Coverage"
      ],
      "url": "https://news.ycombinator.com/item?id=37830998"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://news.ycombinator.com/item?id=37831062"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://news.ycombinator.com/item?id=37837043"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202311-09"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20231016-0001/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20240426-0007/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://security.paloaltonetworks.com/CVE-2023-44487"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://ubuntu.com/security/CVE-2023-44487"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Press/Media Coverage",
        "Third Party Advisory"
      ],
      "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5521"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5522"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5540"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5549"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5558"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5570"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory",
        "Vendor Advisory"
      ],
      "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Press/Media Coverage"
      ],
      "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Press/Media Coverage",
        "Third Party Advisory"
      ],
      "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/cve-2023-44487"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Press/Media Coverage",
        "Third Party Advisory"
      ],
      "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Technical Description",
        "Vendor Advisory"
      ],
      "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "Vendor Advisory"
      ],
      "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Press/Media Coverage",
        "Third Party Advisory"
      ],
      "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://blog.vespa.ai/cve-2023-44487/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Technical Description",
        "Vendor Advisory"
      ],
      "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Technical Description",
        "Vendor Advisory"
      ],
      "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/Azure/AKS/issues/3947"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/Kong/kong/discussions/11741"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/akka/akka-http/issues/4323"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/alibaba/tengine/issues/1872"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/apache/apisix/issues/10320"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/apache/httpd-site/pull/10"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product",
        "Third Party Advisory"
      ],
      "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/apache/trafficserver/pull/10564"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/bcdannyboy/CVE-2023-44487"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://github.com/caddyserver/caddy/issues/5877"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/dotnet/announcements/issues/277"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/eclipse/jetty.project/issues/10679"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/envoyproxy/envoy/pull/30055"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/etcd-io/etcd/issues/16740"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/facebook/proxygen/pull/466"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/golang/go/issues/63417"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/grpc/grpc-go/pull/6703"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/h2o/h2o/pull/3291"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/haproxy/haproxy/issues/2312"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/junkurihara/rust-rpxy/issues/97"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/kazu-yamamoto/http2/issues/93"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/kubernetes/kubernetes/pull/121120"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/line/armeria/pull/5232"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/micrictor/http2-rst-stream"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/microsoft/CBL-Mariner/pull/6381"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/nghttp2/nghttp2/pull/1961"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/ninenines/cowboy/issues/1615"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/nodejs/node/pull/50121"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/openresty/openresty/issues/930"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/opensearch-project/data-prepper/issues/3474"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/oqtane/oqtane.framework/discussions/3367"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/projectcontour/contour/pull/5826"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/tempesta-tech/tempesta/issues/1986"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/varnishcache/varnish-cache/issues/3996"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://istio.io/latest/news/security/istio-security-2023-004/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://my.f5.com/manage/s/article/K000137106"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://news.ycombinator.com/item?id=37830987"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Press/Media Coverage"
      ],
      "url": "https://news.ycombinator.com/item?id=37830998"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://news.ycombinator.com/item?id=37831062"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://news.ycombinator.com/item?id=37837043"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202311-09"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20231016-0001/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20240426-0007/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://security.paloaltonetworks.com/CVE-2023-44487"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://ubuntu.com/security/CVE-2023-44487"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Press/Media Coverage",
        "Third Party Advisory"
      ],
      "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5521"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5522"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5540"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5549"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5558"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5570"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "Vendor Advisory"
      ],
      "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Press/Media Coverage"
      ],
      "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Press/Media Coverage",
        "Third Party Advisory"
      ],
      "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

Vulnerability from fkie_nvd
Published
2023-08-04 18:15
Modified
2024-11-21 07:36
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Summary
A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availability.
References
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2023-0264Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2023-0264Vendor Advisory
Impacted products
Vendor Product Version
redhat keycloak *
redhat single_sign-on *
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
redhat openshift_container_platform 4.9
redhat openshift_container_p