Vulnerability-Lookup

CVE-2019-13990 (GCVE-0-2019-13990)

Vulnerability from cvelistv5 – Published: 2019-07-26 00:00 – Updated: 2024-10-15 18:22

Summary

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

Assigner

mitre

References

17 references

URL	Tags
https://lists.apache.org/thread.html/e493e718a50f…	mailing-list
https://lists.apache.org/thread.html/1870324fea41…	mailing-list
https://lists.apache.org/thread.html/6b6e3480b198…	mailing-list
https://lists.apache.org/thread.html/f74b170d3d58…	mailing-list
https://lists.apache.org/thread.html/172d405e556e…	mailing-list
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://github.com/quartz-scheduler/quartz/issues/467
https://lists.apache.org/thread.html/re9b56ac1934…	mailing-list
https://lists.apache.org/thread.html/r3a6884e8d81…	mailing-list
https://lists.apache.org/thread.html/r21df13c8bd2…	mailing-list
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://security.netapp.com/advisory/ntap-2022102…
https://confluence.atlassian.com/security/ssot-11…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:05:44.151Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[tomee-dev] 20190830 Re: Quartz CVE-2019-13990",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-dev] 20190830 Quartz CVE-2019-13990",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-dev] 20190908 Re: Quartz CVE-2019-13990",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-commits] 20190908 svn commit: r1866633 - /tomee/deps/trunk/quartz-openejb-shade/pom.xml",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-dev] 20190923 Re: [VOTE] Release quartz-openejb-shade 2.2.4",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/quartz-scheduler/quartz/issues/467"
          },
          {
            "name": "[tomee-commits] 20200720 [jira] [Created] (TOMEE-2886) Update quartz-scheduler to mitigate CVE-2019-13990",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-commits] 20200720 [jira] [Commented] (TOMEE-2886) Update quartz-scheduler to mitigate CVE-2019-13990",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-commits] 20200720 [jira] [Assigned] (TOMEE-2886) Update quartz-scheduler to mitigate CVE-2019-13990",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20221028-0002/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2019-13990",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-15T17:36:32.053865Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-611",
                "description": "CWE-611 Improper Restriction of XML External Entity Reference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-15T18:22:20.316Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-28T05:44:55.522Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "[tomee-dev] 20190830 Re: Quartz CVE-2019-13990",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E"
        },
        {
          "name": "[tomee-dev] 20190830 Quartz CVE-2019-13990",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E"
        },
        {
          "name": "[tomee-dev] 20190908 Re: Quartz CVE-2019-13990",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E"
        },
        {
          "name": "[tomee-commits] 20190908 svn commit: r1866633 - /tomee/deps/trunk/quartz-openejb-shade/pom.xml",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E"
        },
        {
          "name": "[tomee-dev] 20190923 Re: [VOTE] Release quartz-openejb-shade 2.2.4",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
        },
        {
          "url": "https://github.com/quartz-scheduler/quartz/issues/467"
        },
        {
          "name": "[tomee-commits] 20200720 [jira] [Created] (TOMEE-2886) Update quartz-scheduler to mitigate CVE-2019-13990",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E"
        },
        {
          "name": "[tomee-commits] 20200720 [jira] [Commented] (TOMEE-2886) Update quartz-scheduler to mitigate CVE-2019-13990",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E"
        },
        {
          "name": "[tomee-commits] 20200720 [jira] [Assigned] (TOMEE-2886) Update quartz-scheduler to mitigate CVE-2019-13990",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
        },
        {
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20221028-0002/"
        },
        {
          "url": "https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-13990",
    "datePublished": "2019-07-26T00:00:00.000Z",
    "dateReserved": "2019-07-19T00:00:00.000Z",
    "dateUpdated": "2024-10-15T18:22:20.316Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2019-13990",
      "date": "2026-05-21",
      "epss": "0.16981",
      "percentile": "0.95058"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:softwareag:quartz:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.3.2\", \"matchCriteriaId\": \"45E3B3FD-2210-4419-86E7-0365320383F7\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:apache_batik_mapviewer:12.2.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"03B8033B-C2A4-47A2-88F0-ED2BF8962518\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:apache_batik_mapviewer:18c:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4B1124B6-CECC-4D4D-A8D5-F05928A545AB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:apache_batik_mapviewer:19c:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3BE19D2D-0789-4925-BC87-DC3A4C063FBF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_enterprise_originations:2.7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7AB8ABFD-C72C-4CBB-8872-9440A19154D6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_enterprise_originations:2.8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3054FEBB-484B-4927-9D1C-2024772E8B3D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5AED3C78-7D65-4F02-820D-B51BCE4022F9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"557A23A1-4762-4D29-A478-D1670C1847D3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:banking_payments:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"14.1.0\", \"versionEndIncluding\": \"14.4.0\", \"matchCriteriaId\": \"2FF46C9A-7768-4E52-A676-BEA6AE766AD4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DE48E0FE-5931-441C-B4FF-253BD9C48186\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DE7A60DB-A287-4E61-8131-B6314007191B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.2.0\", \"versionEndIncluding\": \"8.2.2\", \"matchCriteriaId\": \"11B0C37E-D7C7-45F2-A8D8-5A3B1B191430\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"727DF4F5-3D21-491E-96B9-EC973A6C9C18\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"12.6.0\", \"versionEndIncluding\": \"12.6.4\", \"matchCriteriaId\": \"135D531C-A692-4BE3-AB8C-37BB0D35559A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"66916DEB-ACE1-44E0-9535-10B3E03347AC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B095CC03-7077-4A58-AB25-CC5380CDCE5A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"21BE77B2-6368-470E-B9E6-21664D9A818A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3250073F-325A-4AFC-892F-F2005E3854A5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0DDDC9C2-33D6-4123-9ABC-C9B809A6E88E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:flexcube_investor_servicing:14.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A69266D2-72D0-4A6C-883D-2597FE30931B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:flexcube_investor_servicing:14.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"524429D6-8AF1-4713-A9B8-678B50A3762F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6762F207-93C7-4363-B2F9-7A7C6F8AF993\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1B74B912-152D-4F38-9FC1-741D6D0B27FC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"06E586B3-3434-4B08-8BE3-16C528642CA5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:google_guava_mapviewer:12.2.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0CCA59D2-2853-44F3-9C5C-CC59B49A6B69\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:google_guava_mapviewer:18c:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"779EB0EC-2905-48BC-B375-E6E78B26A169\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:google_guava_mapviewer:19c:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E19C4DBE-2889-4C13-A0E9-30D0CD1BF714\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DED59B62-C9BF-4C0E-B351-3884E8441655\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"9.2.5.3\", \"matchCriteriaId\": \"B2A0A4A6-70D3-418B-80EA-04718C50C500\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"17.7\", \"versionEndIncluding\": \"17.12\", \"matchCriteriaId\": \"08FA59A8-6A62-4B33-8952-D6E658F8DAC9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D55A54FD-7DD1-49CD-BE81-0BE73990943C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"82EB08C0-2D46-4635-88DF-E54F6452D3A3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"202AD518-2E9B-4062-B063-9858AE1F9CE2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F0735989-13BD-40B3-B954-AC0529C5B53D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"58405263-E84C-4071-BB23-165D49034A00\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"42064F46-3012-4FB1-89BA-F13C2E4CBB6B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F73E2EFA-0F43-4D92-8C7D-9E66811B76D6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EE8CF045-09BB-4069-BCEC-496D5AE3B780\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"38E74E68-7F19-4EF3-AC00-3C249EAAA39E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0783F0D1-8FAC-4BCA-A6F5-C5C60E86D56D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_order_broker:19.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BFB0BB58-04D3-409D-AECC-9633782F0E75\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E13DF2AE-F315-4085-9172-6C8B21AF1C9E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BDB925C6-2CBC-4D88-B9EA-F246F4F7A206\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"11DA6839-849D-4CEF-85F3-38FE75E07183\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BCE78490-A4BE-40BD-8C72-0A4526BBD4A4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"55AE3629-4A66-49E4-A33D-6D81CC94962F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4CB39A1A-AD29-45DD-9EB5-5E2053A01B9A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"27C26705-6D1F-4D5E-B64D-B479108154FF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:12.2.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7E75624C-68FA-465C-86B3-BCFB649C4782\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:18c:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6B7DF2FA-F290-40F7-ABD1-AB50EEBC83B5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:19c:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E4D4E5C1-D4A6-464D-9DF3-A9DDD1912FBB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D551CAB1-4312-44AA-BDA8-A030817E153A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"174A6D2E-E42E-4C92-A194-C6A820CD7EF4\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomee:7.1.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E74771B8-99DA-434F-ADCF-258838674E18\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*\", \"matchCriteriaId\": \"F3E0B672-3E06-4422-B2A4-0BD073AEC2A1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*\", \"matchCriteriaId\": \"3A756737-1CC4-42C2-A4DF-E1C893B4E2D5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*\", \"matchCriteriaId\": \"B55E8D50-99B4-47EC-86F9-699B67D473CE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F0F202E8-97E6-4BBB-A0B6-4CA3F5803C08\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.0:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"E70C8416-E4F6-44BC-BDF9-BB1BAE7E185F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.0:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"1363F683-E350-4639-A973-A82BDD83A3A1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.1:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"7BAB5016-8439-4E01-8911-8B472EF38E13\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.1:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"F8EF8DCE-7266-49B1-AE2E-96079A2AD6E7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.2:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"029B8E7F-65EF-4984-A27B-8198D8EB18DB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.2:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"55C7B96B-2A2F-47F9-BBBD-0E25F8AF8F02\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.3:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"160B6A9E-41DC-4999-B3CC-A16B3A16D2A4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.3:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"FC59154D-036C-4F22-B5F1-891527A3EC6B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.4:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"6AD2CA00-9D6C-4DAC-90E6-BE1D93555C11\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.4:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"2FDF2DF4-B0EE-4179-AF98-B21EBB2E1D6F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.5:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"AF85E227-F167-4CCB-A039-D96CC080B032\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.5:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"EDA3B2B5-C9EA-4D26-AEF4-F86792FB9ADC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.6:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"93DDAE6E-DB31-429A-B4EB-955E080A4545\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.6:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"DF994E6C-6262-4230-BBC6-E464EBC1B0F9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.7:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"25DA87CA-362C-4558-AA42-265DA1F8C26D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.7:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"EF410408-CD38-408A-97C4-1103EF8AF68D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.8:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"037D6CB0-959B-468E-87DD-8B1110A14ED0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.8:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"1B885DB6-2DEA-4EB4-97BC-2BF30BC45544\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.9:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"C83E3571-CD54-40A2-AAC0-20F67954642B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.9:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"B69320FF-4E93-475C-B995-85CF1A03DBDA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.10:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"FD430022-C74D-4340-88F9-21AB69485966\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.10:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"549E2860-25D9-468C-891D-AD9BEADA08B3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.11:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"5C03D422-521C-48B2-B293-247232D1ED3C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.11:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"2B0DBCC1-2D1F-4DB3-A693-DA0FA18B9A5E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.12:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"34515441-AE13-4492-A08E-6521D840F689\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.12:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"6FABE527-FED5-4BA3-ABF0-C89AD1228ED2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.13:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"6BE5E85B-7725-4DB9-8357-9097F777705D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.13:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"910A2B29-3502-499B-892F-F6AD473CA6F6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.14:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"2BAB1FDD-C213-48CB-B28B-802F0D1278A7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.14:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"59D09ED0-E31D-4C6B-A217-A3C58C209782\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.15:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"746CCD4F-5411-4249-8A71-A47AD598498A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.15:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"A055705E-4F63-4EB9-BABC-8888041D1E1F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.16:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"AFA32156-893E-44A7-9F18-73586F2E21AB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.16:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"631D10DC-9F03-4BEE-98DD-0759746825A2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.17:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"AFAC053F-3A53-4AD8-9393-49A837A38A8C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.17:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"FE355EB5-A0C4-471C-8E47-1898746D89C6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.18:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"CC230B1E-AA5E-4E76-92E5-41130C56DD34\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.18:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"B764FD56-DBFF-46EE-9108-CF88591DC7A2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.19:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"3F369AD5-25DB-43E4-ADB5-22A774FC6F91\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.19:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"454804E1-9C4C-41AA-ACB4-0150BB39669C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.20:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"79A73328-B3BF-4682-9B60-12A4039F9D1E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.20:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"2A75238E-A82C-4BE9-8300-2BE8B40C31CD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.21:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"1E7B8908-7F72-495B-B562-81E789643A60\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.21:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"55A04426-7D52-4F90-9623-109F201223AC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.22:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"2CC10DC7-1B0B-41E6-B903-DC7E59F68517\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.22:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"E7A19BC6-3F2B-4248-8255-BBA729F941C7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.23:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"DC4936AD-0B95-4687-B0A8-290E76D3ED7C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.23:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"33A3BC88-F6CC-4CDD-8842-2DC5C4706AC3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.24:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"AE05DF9B-2F49-45E9-AB47-A5FA18B6847E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.24:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"29F7D306-FC7F-4748-BC1D-6280654B8409\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.25:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"C82EA42D-1583-4B6D-840E-69B804BD2902\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.20.25:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"22D1EEB6-D4D1-46FC-BB60-CF33EE970E43\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.21.0:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"F1992CBB-135C-4CD7-8D9B-037EEE0530BA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.21.0:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"D8232A74-B1DA-48DD-9DF1-4D04F6091BE3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.21.1:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"F81B63AA-1086-448A-8D60-F5CF41BB1226\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.21.1:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"2B8BBC24-532A-46AB-9D7D-241C43082E95\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.22.0:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"F629DC1E-E044-4D84-8D60-B4E6C139EE98\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.22.0:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"4BDBC59C-C5C7-4848-8CCA-D4DF0354BFCA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.22.1:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"D2E75D91-EC8E-4BAC-B989-403120F84BAC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.22.1:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"FEA2A29A-D2AA-4688-888D-02923EEBFF4A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.22.2:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"93EEA37B-7E96-455D-9131-2CDB77889080\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.22.2:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"71D2DC08-B93D-474B-9332-793A47E0A792\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.22.3:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"9263586C-D6A5-48F4-8F36-F672377AAFAD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.22.3:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"01F142BF-C557-4D27-A263-0A77D3FBAA27\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.22.4:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"BC250698-AA6D-46FC-923D-9A3EB0742697\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.22.4:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"755B605C-E032-435B-90C3-FEB1EEBD43E7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.22.6:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"728DE946-60C8-433A-807B-45720C668B37\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:4.22.6:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"F24C4029-A2D5-4B95-AE2B-10B035B28420\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.0.0:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"52672DE1-9B0D-4689-93AD-FF4B8A59E5EC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.0.0:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"D802B4FE-F56F-46C4-A84B-EB89931EC16E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.1.0:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"17E30F04-14EF-4F4D-8124-D0DD04E9EDF9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.1.0:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"538503C1-F947-4BCF-836F-A609A601E064\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.1.1:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"07105957-FEBE-4E02-88FB-A8DDAE67E8A9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.1.1:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"E40B10B9-F8C3-4279-A9AC-2E25AEF46D7A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.2.0:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"C7D685CD-9CAD-42B5-B721-26203854F396\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.2.0:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"269B2F72-56A3-4750-8665-7DE03DAE3DAA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.2.1:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"C600291E-2EDC-4F61-9FC1-C2C34C20EA4C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.2.1:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"C8D33E70-8A27-46A2-BB14-87181F8DA0F3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.3.0:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"F09CAEB7-4C1F-4B5B-9921-6DD06FF9EB9D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.3.0:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"7E9F4E2A-E450-496C-B3E8-B0817BAD8817\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.3.1:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"964CB4B7-1502-4E92-B7D2-D864C13E338B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.3.1:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"A9EFBC53-7C0B-408E-A745-0C83E9E38DAD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.3.2:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"18A70517-84A8-4866-9FE8-06D0608391E4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.3.2:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"E504A879-B312-4E8F-ADF9-8C1623B023AE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.3.3:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"9EE1449F-6F38-4677-9DB9-AF2D9A7C2AE2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.3.3:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"2BC5B994-25C4-4C00-8871-F3664878C83B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.0:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"4484C6ED-659F-47F5-BFE2-7E9794FA51C3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.0:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"F4449121-125E-49D9-BF3E-2A6EA169B796\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.1:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"C940817F-B265-4F42-AE19-DA2B49AC1D53\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.1:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"099869F1-BC95-4828-A0F5-9BBADDC3F6F3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.2:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"601B5811-B1B8-4FF0-984B-62F07366615A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.2:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"0D82DFCD-964E-406E-8329-E31A76FCFC64\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.3:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"ED8B7E12-9139-4BCB-9A5A-C8B23A6F8628\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.3:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"08F237B7-4C22-4A35-BC82-6B6E892B7EB3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.4:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"0EC83F47-180C-481B-88A8-0E3C6654774C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.4:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"2A3EA15F-DEBB-44A2-8CEA-B137AE8089CA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.5:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"428B70AC-35A2-4D4F-9670-43B601426DD3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.5:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"6314E670-88E8-4B09-9AF4-95E669A68A5A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.6:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"4486E929-E1A8-4731-BE7E-A8BCCE594ADA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.6:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"D24437F8-2B3A-4A0D-8C6C-A8B9E90457DB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.7:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"06843035-CE98-48C8-BCB1-02976D233077\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.7:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"B98060AC-32A2-4F5A-A490-3E23F883D5A7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.8:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"9681965F-AD13-420C-8845-A544520042DF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.8:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"C9D2A5F2-F91C-4DA3-9EB6-441D17A6AB9F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.9:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"6F3F93E1-8BB2-40BD-B4A9-D4136B742F82\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.4.9:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"549B3ADB-BAEF-4E45-856C-4B07F9FBB12A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.5.1:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"941AD6CA-3F4E-43E5-AA68-95AB7C84F297\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.5.1:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"4630E46A-817F-4238-989F-93C633A10058\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.6.0:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"25D8E4A5-2AB6-42D4-B6D4-54484149BE75\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.6.0:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"9BA9FF1F-8F8C-47DD-9E7B-8B48FB453A83\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.7.0:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"D28343BD-5440-425E-AFEB-FC79EFB3C531\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.7.0:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"F29E98F7-4768-48C8-9D1C-448006DF0FFE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.7.1:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"E8B3B4C6-4E76-4184-BE92-A6EF2B4CB8D2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.7.1:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"1320F61E-A562-438E-A19D-90C816920B63\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.8.0:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"35D28C45-8C74-4131-A2C5-1F1CE009BDED\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.8.0:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"64D7B52D-46CA-4769-9631-9E3E45927003\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.8.1:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"027F98AD-B508-4079-A1BD-EFDBDBA78331\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.8.1:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"D80A8C83-C8B1-4ADF-B45B-550E6BA45AEF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.9.0:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"54EB831D-3D4C-4807-AF42-DFF7D9176773\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.9.0:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"031A34D6-C522-4301-BE02-83D3BADC8C7E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.10.0:*:*:*:data_center:*:*:*\", \"matchCriteriaId\": \"109D37D3-3FC7-4443-974A-7D668ABE97D9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:atlassian:jira_service_management:5.10.0:*:*:*:server:*:*:*\", \"matchCriteriaId\": \"30D20E35-0BAC-4D43-A619-10B6A4572CBB\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.\"}, {\"lang\": \"es\", \"value\": \"La funci\\u00f3n initDocumentParser en el archivo xml/XMLSchedulingDataProcessor.java en Quartz Scheduler de Terracotta hasta la versi\\u00f3n 2.3.0, permite ataques de tipo XXE por medio de una descripci\\u00f3n del trabajo.\"}]",
      "id": "CVE-2019-13990",
      "lastModified": "2024-11-21T04:25:50.490",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2019-07-26T19:15:11.730",
      "references": "[{\"url\": \"https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/quartz-scheduler/quartz/issues/467\", \"source\": \"cve@mitre.org\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E\", \"source\": \"cve@mitre.org\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E\", \"source\": \"cve@mitre.org\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E\", \"source\": \"cve@mitre.org\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\"]}, {\"url\": \"https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\"]}, {\"url\": \"https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E\", \"source\": \"cve@mitre.org\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E\", \"source\": \"cve@mitre.org\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20221028-0002/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/quartz-scheduler/quartz/issues/467\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20221028-0002/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-611\"}]}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-611\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-13990\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-07-26T19:15:11.730\",\"lastModified\":\"2024-11-21T04:25:50.490\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.\"},{\"lang\":\"es\",\"value\":\"La funci\u00f3n initDocumentParser en el archivo xml/XMLSchedulingDataProcessor.java en Quartz Scheduler de Terracotta hasta la versi\u00f3n 2.3.0, permite ataques de tipo XXE por medio de una descripci\u00f3n del trabajo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:softwareag:quartz:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.3.2\",\"matchCriteriaId\":\"45E3B3FD-2210-4419-86E7-0365320383F7\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:apache_batik_mapviewer:12.2.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"03B8033B-C2A4-47A2-88F0-ED2BF8962518\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:apache_batik_mapviewer:18c:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4B1124B6-CECC-4D4D-A8D5-F05928A545AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:apache_batik_mapviewer:19c:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3BE19D2D-0789-4925-BC87-DC3A4C063FBF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_enterprise_originations:2.7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7AB8ABFD-C72C-4CBB-8872-9440A19154D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_enterprise_originations:2.8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3054FEBB-484B-4927-9D1C-2024772E8B3D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5AED3C78-7D65-4F02-820D-B51BCE4022F9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"557A23A1-4762-4D29-A478-D1670C1847D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:banking_payments:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"14.1.0\",\"versionEndIncluding\":\"14.4.0\",\"matchCriteriaId\":\"2FF46C9A-7768-4E52-A676-BEA6AE766AD4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DE48E0FE-5931-441C-B4FF-253BD9C48186\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DE7A60DB-A287-4E61-8131-B6314007191B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.2.0\",\"versionEndIncluding\":\"8.2.2\",\"matchCriteriaId\":\"11B0C37E-D7C7-45F2-A8D8-5A3B1B191430\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"727DF4F5-3D21-491E-96B9-EC973A6C9C18\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.6.0\",\"versionEndIncluding\":\"12.6.4\",\"matchCriteriaId\":\"135D531C-A692-4BE3-AB8C-37BB0D35559A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"66916DEB-ACE1-44E0-9535-10B3E03347AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B095CC03-7077-4A58-AB25-CC5380CDCE5A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"21BE77B2-6368-470E-B9E6-21664D9A818A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3250073F-325A-4AFC-892F-F2005E3854A5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0DDDC9C2-33D6-4123-9ABC-C9B809A6E88E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:flexcube_investor_servicing:14.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A69266D2-72D0-4A6C-883D-2597FE30931B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:flexcube_investor_servicing:14.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"524429D6-8AF1-4713-A9B8-678B50A3762F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6762F207-93C7-4363-B2F9-7A7C6F8AF993\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1B74B912-152D-4F38-9FC1-741D6D0B27FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"06E586B3-3434-4B08-8BE3-16C528642CA5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:google_guava_mapviewer:12.2.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0CCA59D2-2853-44F3-9C5C-CC59B49A6B69\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:google_guava_mapviewer:18c:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"779EB0EC-2905-48BC-B375-E6E78B26A169\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:google_guava_mapviewer:19c:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E19C4DBE-2889-4C13-A0E9-30D0CD1BF714\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DED59B62-C9BF-4C0E-B351-3884E8441655\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"9.2.5.3\",\"matchCriteriaId\":\"B2A0A4A6-70D3-418B-80EA-04718C50C500\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.7\",\"versionEndIncluding\":\"17.12\",\"matchCriteriaId\":\"08FA59A8-6A62-4B33-8952-D6E658F8DAC9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D55A54FD-7DD1-49CD-BE81-0BE73990943C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"82EB08C0-2D46-4635-88DF-E54F6452D3A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"202AD518-2E9B-4062-B063-9858AE1F9CE2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F0735989-13BD-40B3-B954-AC0529C5B53D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"58405263-E84C-4071-BB23-165D49034A00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"42064F46-3012-4FB1-89BA-F13C2E4CBB6B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F73E2EFA-0F43-4D92-8C7D-9E66811B76D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EE8CF045-09BB-4069-BCEC-496D5AE3B780\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"38E74E68-7F19-4EF3-AC00-3C249EAAA39E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0783F0D1-8FAC-4BCA-A6F5-C5C60E86D56D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_order_broker:19.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BFB0BB58-04D3-409D-AECC-9633782F0E75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E13DF2AE-F315-4085-9172-6C8B21AF1C9E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BDB925C6-2CBC-4D88-B9EA-F246F4F7A206\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"11DA6839-849D-4CEF-85F3-38FE75E07183\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BCE78490-A4BE-40BD-8C72-0A4526BBD4A4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"55AE3629-4A66-49E4-A33D-6D81CC94962F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4CB39A1A-AD29-45DD-9EB5-5E2053A01B9A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"27C26705-6D1F-4D5E-B64D-B479108154FF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:12.2.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7E75624C-68FA-465C-86B3-BCFB649C4782\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:18c:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6B7DF2FA-F290-40F7-ABD1-AB50EEBC83B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:19c:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E4D4E5C1-D4A6-464D-9DF3-A9DDD1912FBB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D551CAB1-4312-44AA-BDA8-A030817E153A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"174A6D2E-E42E-4C92-A194-C6A820CD7EF4\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomee:7.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E74771B8-99DA-434F-ADCF-258838674E18\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*\",\"matchCriteriaId\":\"F3E0B672-3E06-4422-B2A4-0BD073AEC2A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*\",\"matchCriteriaId\":\"3A756737-1CC4-42C2-A4DF-E1C893B4E2D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*\",\"matchCriteriaId\":\"B55E8D50-99B4-47EC-86F9-699B67D473CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F0F202E8-97E6-4BBB-A0B6-4CA3F5803C08\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.0:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"E70C8416-E4F6-44BC-BDF9-BB1BAE7E185F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.0:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"1363F683-E350-4639-A973-A82BDD83A3A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.1:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"7BAB5016-8439-4E01-8911-8B472EF38E13\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.1:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"F8EF8DCE-7266-49B1-AE2E-96079A2AD6E7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.2:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"029B8E7F-65EF-4984-A27B-8198D8EB18DB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.2:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"55C7B96B-2A2F-47F9-BBBD-0E25F8AF8F02\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.3:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"160B6A9E-41DC-4999-B3CC-A16B3A16D2A4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.3:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"FC59154D-036C-4F22-B5F1-891527A3EC6B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.4:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"6AD2CA00-9D6C-4DAC-90E6-BE1D93555C11\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.4:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"2FDF2DF4-B0EE-4179-AF98-B21EBB2E1D6F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.5:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"AF85E227-F167-4CCB-A039-D96CC080B032\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.5:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"EDA3B2B5-C9EA-4D26-AEF4-F86792FB9ADC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.6:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"93DDAE6E-DB31-429A-B4EB-955E080A4545\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.6:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"DF994E6C-6262-4230-BBC6-E464EBC1B0F9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.7:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"25DA87CA-362C-4558-AA42-265DA1F8C26D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.7:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"EF410408-CD38-408A-97C4-1103EF8AF68D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.8:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"037D6CB0-959B-468E-87DD-8B1110A14ED0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.8:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"1B885DB6-2DEA-4EB4-97BC-2BF30BC45544\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.9:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"C83E3571-CD54-40A2-AAC0-20F67954642B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.9:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"B69320FF-4E93-475C-B995-85CF1A03DBDA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.10:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"FD430022-C74D-4340-88F9-21AB69485966\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.10:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"549E2860-25D9-468C-891D-AD9BEADA08B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.11:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"5C03D422-521C-48B2-B293-247232D1ED3C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.11:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"2B0DBCC1-2D1F-4DB3-A693-DA0FA18B9A5E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.12:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"34515441-AE13-4492-A08E-6521D840F689\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.12:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"6FABE527-FED5-4BA3-ABF0-C89AD1228ED2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.13:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"6BE5E85B-7725-4DB9-8357-9097F777705D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.13:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"910A2B29-3502-499B-892F-F6AD473CA6F6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.14:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"2BAB1FDD-C213-48CB-B28B-802F0D1278A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.14:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"59D09ED0-E31D-4C6B-A217-A3C58C209782\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.15:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"746CCD4F-5411-4249-8A71-A47AD598498A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.15:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"A055705E-4F63-4EB9-BABC-8888041D1E1F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.16:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"AFA32156-893E-44A7-9F18-73586F2E21AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.16:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"631D10DC-9F03-4BEE-98DD-0759746825A2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.17:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"AFAC053F-3A53-4AD8-9393-49A837A38A8C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.17:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"FE355EB5-A0C4-471C-8E47-1898746D89C6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.18:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"CC230B1E-AA5E-4E76-92E5-41130C56DD34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.18:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"B764FD56-DBFF-46EE-9108-CF88591DC7A2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.19:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"3F369AD5-25DB-43E4-ADB5-22A774FC6F91\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.19:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"454804E1-9C4C-41AA-ACB4-0150BB39669C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.20:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"79A73328-B3BF-4682-9B60-12A4039F9D1E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.20:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"2A75238E-A82C-4BE9-8300-2BE8B40C31CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.21:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"1E7B8908-7F72-495B-B562-81E789643A60\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.21:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"55A04426-7D52-4F90-9623-109F201223AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.22:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"2CC10DC7-1B0B-41E6-B903-DC7E59F68517\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.22:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"E7A19BC6-3F2B-4248-8255-BBA729F941C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.23:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"DC4936AD-0B95-4687-B0A8-290E76D3ED7C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.23:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"33A3BC88-F6CC-4CDD-8842-2DC5C4706AC3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.24:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"AE05DF9B-2F49-45E9-AB47-A5FA18B6847E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.24:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"29F7D306-FC7F-4748-BC1D-6280654B8409\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.25:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"C82EA42D-1583-4B6D-840E-69B804BD2902\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.20.25:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"22D1EEB6-D4D1-46FC-BB60-CF33EE970E43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.21.0:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"F1992CBB-135C-4CD7-8D9B-037EEE0530BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.21.0:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"D8232A74-B1DA-48DD-9DF1-4D04F6091BE3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.21.1:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"F81B63AA-1086-448A-8D60-F5CF41BB1226\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.21.1:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"2B8BBC24-532A-46AB-9D7D-241C43082E95\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.22.0:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"F629DC1E-E044-4D84-8D60-B4E6C139EE98\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.22.0:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"4BDBC59C-C5C7-4848-8CCA-D4DF0354BFCA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.22.1:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"D2E75D91-EC8E-4BAC-B989-403120F84BAC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.22.1:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"FEA2A29A-D2AA-4688-888D-02923EEBFF4A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.22.2:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"93EEA37B-7E96-455D-9131-2CDB77889080\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.22.2:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"71D2DC08-B93D-474B-9332-793A47E0A792\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.22.3:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"9263586C-D6A5-48F4-8F36-F672377AAFAD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.22.3:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"01F142BF-C557-4D27-A263-0A77D3FBAA27\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.22.4:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"BC250698-AA6D-46FC-923D-9A3EB0742697\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.22.4:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"755B605C-E032-435B-90C3-FEB1EEBD43E7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.22.6:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"728DE946-60C8-433A-807B-45720C668B37\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:4.22.6:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"F24C4029-A2D5-4B95-AE2B-10B035B28420\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.0.0:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"52672DE1-9B0D-4689-93AD-FF4B8A59E5EC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.0.0:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"D802B4FE-F56F-46C4-A84B-EB89931EC16E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.1.0:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"17E30F04-14EF-4F4D-8124-D0DD04E9EDF9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.1.0:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"538503C1-F947-4BCF-836F-A609A601E064\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.1.1:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"07105957-FEBE-4E02-88FB-A8DDAE67E8A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.1.1:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"E40B10B9-F8C3-4279-A9AC-2E25AEF46D7A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.2.0:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"C7D685CD-9CAD-42B5-B721-26203854F396\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.2.0:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"269B2F72-56A3-4750-8665-7DE03DAE3DAA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.2.1:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"C600291E-2EDC-4F61-9FC1-C2C34C20EA4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.2.1:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"C8D33E70-8A27-46A2-BB14-87181F8DA0F3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.3.0:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"F09CAEB7-4C1F-4B5B-9921-6DD06FF9EB9D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.3.0:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"7E9F4E2A-E450-496C-B3E8-B0817BAD8817\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.3.1:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"964CB4B7-1502-4E92-B7D2-D864C13E338B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.3.1:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"A9EFBC53-7C0B-408E-A745-0C83E9E38DAD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.3.2:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"18A70517-84A8-4866-9FE8-06D0608391E4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.3.2:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"E504A879-B312-4E8F-ADF9-8C1623B023AE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.3.3:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"9EE1449F-6F38-4677-9DB9-AF2D9A7C2AE2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.3.3:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"2BC5B994-25C4-4C00-8871-F3664878C83B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.0:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"4484C6ED-659F-47F5-BFE2-7E9794FA51C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.0:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"F4449121-125E-49D9-BF3E-2A6EA169B796\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.1:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"C940817F-B265-4F42-AE19-DA2B49AC1D53\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.1:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"099869F1-BC95-4828-A0F5-9BBADDC3F6F3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.2:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"601B5811-B1B8-4FF0-984B-62F07366615A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.2:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"0D82DFCD-964E-406E-8329-E31A76FCFC64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.3:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"ED8B7E12-9139-4BCB-9A5A-C8B23A6F8628\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.3:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"08F237B7-4C22-4A35-BC82-6B6E892B7EB3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.4:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"0EC83F47-180C-481B-88A8-0E3C6654774C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.4:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"2A3EA15F-DEBB-44A2-8CEA-B137AE8089CA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.5:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"428B70AC-35A2-4D4F-9670-43B601426DD3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.5:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"6314E670-88E8-4B09-9AF4-95E669A68A5A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.6:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"4486E929-E1A8-4731-BE7E-A8BCCE594ADA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.6:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"D24437F8-2B3A-4A0D-8C6C-A8B9E90457DB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.7:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"06843035-CE98-48C8-BCB1-02976D233077\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.7:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"B98060AC-32A2-4F5A-A490-3E23F883D5A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.8:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"9681965F-AD13-420C-8845-A544520042DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.8:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"C9D2A5F2-F91C-4DA3-9EB6-441D17A6AB9F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.9:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"6F3F93E1-8BB2-40BD-B4A9-D4136B742F82\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.4.9:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"549B3ADB-BAEF-4E45-856C-4B07F9FBB12A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.5.1:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"941AD6CA-3F4E-43E5-AA68-95AB7C84F297\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.5.1:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"4630E46A-817F-4238-989F-93C633A10058\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.6.0:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"25D8E4A5-2AB6-42D4-B6D4-54484149BE75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.6.0:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"9BA9FF1F-8F8C-47DD-9E7B-8B48FB453A83\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.7.0:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"D28343BD-5440-425E-AFEB-FC79EFB3C531\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.7.0:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"F29E98F7-4768-48C8-9D1C-448006DF0FFE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.7.1:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"E8B3B4C6-4E76-4184-BE92-A6EF2B4CB8D2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.7.1:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"1320F61E-A562-438E-A19D-90C816920B63\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.8.0:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"35D28C45-8C74-4131-A2C5-1F1CE009BDED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.8.0:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"64D7B52D-46CA-4769-9631-9E3E45927003\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.8.1:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"027F98AD-B508-4079-A1BD-EFDBDBA78331\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.8.1:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"D80A8C83-C8B1-4ADF-B45B-550E6BA45AEF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.9.0:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"54EB831D-3D4C-4807-AF42-DFF7D9176773\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.9.0:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"031A34D6-C522-4301-BE02-83D3BADC8C7E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.10.0:*:*:*:data_center:*:*:*\",\"matchCriteriaId\":\"109D37D3-3FC7-4443-974A-7D668ABE97D9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_service_management:5.10.0:*:*:*:server:*:*:*\",\"matchCriteriaId\":\"30D20E35-0BAC-4D43-A619-10B6A4572CBB\"}]}]}],\"references\":[{\"url\":\"https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/quartz-scheduler/quartz/issues/467\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20221028-0002/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com//security-alerts/cpujul2021.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2020.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2021.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2020.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2020.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/quartz-scheduler/quartz/issues/467\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20221028-0002/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com//security-alerts/cpujul2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E\", \"name\": \"[tomee-dev] 20190830 Re: Quartz CVE-2019-13990\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E\", \"name\": \"[tomee-dev] 20190830 Quartz CVE-2019-13990\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E\", \"name\": \"[tomee-dev] 20190908 Re: Quartz CVE-2019-13990\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E\", \"name\": \"[tomee-commits] 20190908 svn commit: r1866633 - /tomee/deps/trunk/quartz-openejb-shade/pom.xml\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E\", \"name\": \"[tomee-dev] 20190923 Re: [VOTE] Release quartz-openejb-shade 2.2.4\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/quartz-scheduler/quartz/issues/467\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E\", \"name\": \"[tomee-commits] 20200720 [jira] [Created] (TOMEE-2886) Update quartz-scheduler to mitigate CVE-2019-13990\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E\", \"name\": \"[tomee-commits] 20200720 [jira] [Commented] (TOMEE-2886) Update quartz-scheduler to mitigate CVE-2019-13990\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E\", \"name\": \"[tomee-commits] 20200720 [jira] [Assigned] (TOMEE-2886) Update quartz-scheduler to mitigate CVE-2019-13990\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20221028-0002/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-05T00:05:44.151Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2019-13990\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-15T17:36:32.053865Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-611\", \"description\": \"CWE-611 Improper Restriction of XML External Entity Reference\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-15T18:22:14.447Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E\", \"name\": \"[tomee-dev] 20190830 Re: Quartz CVE-2019-13990\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E\", \"name\": \"[tomee-dev] 20190830 Quartz CVE-2019-13990\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E\", \"name\": \"[tomee-dev] 20190908 Re: Quartz CVE-2019-13990\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E\", \"name\": \"[tomee-commits] 20190908 svn commit: r1866633 - /tomee/deps/trunk/quartz-openejb-shade/pom.xml\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E\", \"name\": \"[tomee-dev] 20190923 Re: [VOTE] Release quartz-openejb-shade 2.2.4\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"}, {\"url\": \"https://github.com/quartz-scheduler/quartz/issues/467\"}, {\"url\": \"https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E\", \"name\": \"[tomee-commits] 20200720 [jira] [Created] (TOMEE-2886) Update quartz-scheduler to mitigate CVE-2019-13990\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E\", \"name\": \"[tomee-commits] 20200720 [jira] [Commented] (TOMEE-2886) Update quartz-scheduler to mitigate CVE-2019-13990\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E\", \"name\": \"[tomee-commits] 20200720 [jira] [Assigned] (TOMEE-2886) Update quartz-scheduler to mitigate CVE-2019-13990\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"}, {\"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20221028-0002/\"}, {\"url\": \"https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2023-10-28T05:44:55.522Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2019-13990\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-15T18:22:20.316Z\", \"dateReserved\": \"2019-07-19T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2019-07-26T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2020-AVI-433

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Oracle Database Server. Certaines d'entre elles permettent à un attaquant de provoquer un contournement de la politique de sécurité, une atteinte à l'intégrité des données et une atteinte à la confidentialité des données.

Les CVE suivantes sont référencées mais l'éditeur indique qu'elles ne sont pas exploitables : CVE-2018-18314, CVE-2019-10086, CVE-2019-13990, CVE-2019-16943.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Oracle	Database Server	Oracle Database Server version 11.2.0.4 sans le dernier correctif
Oracle	Database Server	Oracle Application Express de Oracle Database Server versions 5.1 à 19.2 sans le dernier correctif
Oracle	Database Server	Oracle Database Server version 12.1.0.2 sans le dernier correctif
Oracle	Database Server	Oracle Database Server version 19c sans le dernier correctif
Oracle	Database Server	Oracle Database Server version 18c sans le dernier correctif
Oracle	Database Server	Oracle Database Server version 12.2.0.1 sans le dernier correctif

References

Title

Publication Time

Tags

Bulletin de sécurité Oracle détaillé cpujul2020 du 14 juillet 2020	None	vendor-advisory
Bulletin de sécurité Oracle cpujul2020 du 14 juillet 2020	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Oracle Database Server version 11.2.0.4 sans le dernier correctif",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Application Express de Oracle Database Server versions 5.1 \u00e0 19.2 sans le dernier correctif",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Server version 12.1.0.2 sans le dernier correctif",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Server version 19c sans le dernier correctif",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Server version 18c sans le dernier correctif",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Server version 12.2.0.1 sans le dernier correctif",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-2975",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2975"
    },
    {
      "name": "CVE-2020-2969",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2969"
    },
    {
      "name": "CVE-2020-2973",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2973"
    },
    {
      "name": "CVE-2019-13990",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-13990"
    },
    {
      "name": "CVE-2020-2513",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2513"
    },
    {
      "name": "CVE-2016-9843",
      "url": "https://www.cve.org/CVERecord?id=CVE-2016-9843"
    },
    {
      "name": "CVE-2020-2974",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2974"
    },
    {
      "name": "CVE-2019-16943",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-16943"
    },
    {
      "name": "CVE-2018-18314",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-18314"
    },
    {
      "name": "CVE-2020-8112",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8112"
    },
    {
      "name": "CVE-2020-2971",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2971"
    },
    {
      "name": "CVE-2020-2972",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2972"
    },
    {
      "name": "CVE-2020-2976",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2976"
    },
    {
      "name": "CVE-2016-1000031",
      "url": "https://www.cve.org/CVERecord?id=CVE-2016-1000031"
    },
    {
      "name": "CVE-2019-17569",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-17569"
    },
    {
      "name": "CVE-2020-2978",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2978"
    },
    {
      "name": "CVE-2019-10086",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-10086"
    },
    {
      "name": "CVE-2020-2977",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2977"
    },
    {
      "name": "CVE-2020-2968",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2968"
    }
  ],
  "links": [],
  "reference": "CERTFR-2020-AVI-433",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-07-15T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle Database\nServer. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nun contournement de la politique de s\u00e9curit\u00e9, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9\ndes donn\u00e9es et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n\nLes CVE suivantes sont r\u00e9f\u00e9renc\u00e9es mais l\u0027\u00e9diteur indique qu\u0027elles ne\nsont pas exploitables : CVE-2018-18314, CVE-2019-10086, CVE-2019-13990,\nCVE-2019-16943.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Database Server",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle d\u00e9taill\u00e9 cpujul2020 du 14 juillet 2020",
      "url": "https://www.oracle.com/security-alerts/cpujul2020verbose.html#DB"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle cpujul2020 du 14 juillet 2020",
      "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
    }
  ]
}

CERTFR-2020-AVI-433

Vulnerability from certfr_avis - Published: - Updated:

Les CVE suivantes sont référencées mais l'éditeur indique qu'elles ne sont pas exploitables : CVE-2018-18314, CVE-2019-10086, CVE-2019-13990, CVE-2019-16943.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Oracle	Database Server	Oracle Database Server version 11.2.0.4 sans le dernier correctif
Oracle	Database Server	Oracle Application Express de Oracle Database Server versions 5.1 à 19.2 sans le dernier correctif
Oracle	Database Server	Oracle Database Server version 12.1.0.2 sans le dernier correctif
Oracle	Database Server	Oracle Database Server version 19c sans le dernier correctif
Oracle	Database Server	Oracle Database Server version 18c sans le dernier correctif
Oracle	Database Server	Oracle Database Server version 12.2.0.1 sans le dernier correctif

References

Title

Publication Time

Tags

Bulletin de sécurité Oracle détaillé cpujul2020 du 14 juillet 2020	None	vendor-advisory
Bulletin de sécurité Oracle cpujul2020 du 14 juillet 2020	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Oracle Database Server version 11.2.0.4 sans le dernier correctif",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Application Express de Oracle Database Server versions 5.1 \u00e0 19.2 sans le dernier correctif",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Server version 12.1.0.2 sans le dernier correctif",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Server version 19c sans le dernier correctif",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Server version 18c sans le dernier correctif",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Database Server version 12.2.0.1 sans le dernier correctif",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-2975",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2975"
    },
    {
      "name": "CVE-2020-2969",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2969"
    },
    {
      "name": "CVE-2020-2973",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2973"
    },
    {
      "name": "CVE-2019-13990",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-13990"
    },
    {
      "name": "CVE-2020-2513",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2513"
    },
    {
      "name": "CVE-2016-9843",
      "url": "https://www.cve.org/CVERecord?id=CVE-2016-9843"
    },
    {
      "name": "CVE-2020-2974",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2974"
    },
    {
      "name": "CVE-2019-16943",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-16943"
    },
    {
      "name": "CVE-2018-18314",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-18314"
    },
    {
      "name": "CVE-2020-8112",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8112"
    },
    {
      "name": "CVE-2020-2971",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2971"
    },
    {
      "name": "CVE-2020-2972",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2972"
    },
    {
      "name": "CVE-2020-2976",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2976"
    },
    {
      "name": "CVE-2016-1000031",
      "url": "https://www.cve.org/CVERecord?id=CVE-2016-1000031"
    },
    {
      "name": "CVE-2019-17569",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-17569"
    },
    {
      "name": "CVE-2020-2978",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2978"
    },
    {
      "name": "CVE-2019-10086",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-10086"
    },
    {
      "name": "CVE-2020-2977",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2977"
    },
    {
      "name": "CVE-2020-2968",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-2968"
    }
  ],
  "links": [],
  "reference": "CERTFR-2020-AVI-433",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-07-15T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle Database\nServer. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nun contournement de la politique de s\u00e9curit\u00e9, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9\ndes donn\u00e9es et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n\nLes CVE suivantes sont r\u00e9f\u00e9renc\u00e9es mais l\u0027\u00e9diteur indique qu\u0027elles ne\nsont pas exploitables : CVE-2018-18314, CVE-2019-10086, CVE-2019-13990,\nCVE-2019-16943.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Database Server",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle d\u00e9taill\u00e9 cpujul2020 du 14 juillet 2020",
      "url": "https://www.oracle.com/security-alerts/cpujul2020verbose.html#DB"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle cpujul2020 du 14 juillet 2020",
      "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
    }
  ]
}

CERTFR-2026-AVI-0292

Vulnerability from certfr_avis - Published: 2026-03-13 - Updated: 2026-03-13

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	WebSphere Service Registry and Repository	WebSphere Service Registry and Repository versions 8.5 antérieures à 8.5.5.30
IBM	Sterling Control Center	Sterling Control Center versions 6.4.1 antérieures à 6.4.1.0 iFix01
IBM	Sterling Control Center	Sterling Control Center versions 6.3.x antérieures à 6.3.1.0 iFix06
IBM	N/A	Sterling Secure Proxy versions 6.2.0 antérieures à 6.2.0.3 GA
IBM	Sterling Partner Engagement Manager Standard Edition	Sterling Partner Engagement Manager Standard Edition versions 6.2.3 antérieures à 6.2.3.6
IBM	N/A	Sterling Secure Proxy versions 6.2.1 antérieures à 6.2.1.2 GA
IBM	N/A	Sterling Secure Proxy versions 6.1.0 antérieures à 6.1.0.3 GA
IBM	Sterling Partner Engagement Manager Essentials Edition	Sterling Partner Engagement Manager Essentials Edition versions 6.2.3 antérieures à 6.2.3.6
IBM	Sterling Partner Engagement Manager Standard Edition	Sterling Partner Engagement Manager Standard Edition versions 6.2.4 antérieures à 6.2.4.3
IBM	Sterling Partner Engagement Manager Essentials Edition	Sterling Partner Engagement Manager Essentials Edition versions 6.2.4 antérieures à 6.2.4.3
IBM	Sterling Control Center	Sterling Control Center versions 6.4.0 antérieures à 6.4.0.0 iFix02

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 7262893	2026-03-09	vendor-advisory
Bulletin de sécurité IBM 7263064	2026-03-10	vendor-advisory
Bulletin de sécurité IBM 7263063	2026-03-10	vendor-advisory
Bulletin de sécurité IBM 7263065	2026-03-10	vendor-advisory
Bulletin de sécurité IBM 7263060	2026-03-10	vendor-advisory
Bulletin de sécurité IBM 7263391	2026-03-12	vendor-advisory
Bulletin de sécurité IBM 7263061	2026-03-10	vendor-advisory
Bulletin de sécurité IBM 7262894	2026-03-09	vendor-advisory
Bulletin de sécurité IBM 7263211	2026-03-11	vendor-advisory
Bulletin de sécurité IBM 7263059	2026-03-10	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "WebSphere Service Registry and Repository versions 8.5 ant\u00e9rieures \u00e0 8.5.5.30",
      "product": {
        "name": "WebSphere Service Registry and Repository",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Control Center versions 6.4.1 ant\u00e9rieures \u00e0 6.4.1.0 iFix01",
      "product": {
        "name": "Sterling Control Center",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Control Center versions 6.3.x ant\u00e9rieures \u00e0 6.3.1.0 iFix06",
      "product": {
        "name": "Sterling Control Center",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Secure Proxy versions 6.2.0 ant\u00e9rieures \u00e0 6.2.0.3 GA",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Partner Engagement Manager Standard Edition versions 6.2.3 ant\u00e9rieures \u00e0 6.2.3.6",
      "product": {
        "name": "Sterling Partner Engagement Manager Standard Edition",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Secure Proxy versions 6.2.1 ant\u00e9rieures \u00e0 6.2.1.2 GA",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Secure Proxy versions 6.1.0 ant\u00e9rieures \u00e0 6.1.0.3 GA",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Partner Engagement Manager Essentials Edition versions 6.2.3 ant\u00e9rieures \u00e0 6.2.3.6",
      "product": {
        "name": "Sterling Partner Engagement Manager Essentials Edition",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Partner Engagement Manager Standard Edition versions 6.2.4 ant\u00e9rieures \u00e0 6.2.4.3",
      "product": {
        "name": "Sterling Partner Engagement Manager Standard Edition",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Partner Engagement Manager Essentials Edition versions 6.2.4 ant\u00e9rieures \u00e0 6.2.4.3",
      "product": {
        "name": "Sterling Partner Engagement Manager Essentials Edition",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Sterling Control Center versions 6.4.0 ant\u00e9rieures \u00e0 6.4.0.0 iFix02",
      "product": {
        "name": "Sterling Control Center",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-13718",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-13718"
    },
    {
      "name": "CVE-2025-5115",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-5115"
    },
    {
      "name": "CVE-2025-41248",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-41248"
    },
    {
      "name": "CVE-2025-50106",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-50106"
    },
    {
      "name": "CVE-2019-13990",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-13990"
    },
    {
      "name": "CVE-2025-30754",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30754"
    },
    {
      "name": "CVE-2016-1000338",
      "url": "https://www.cve.org/CVERecord?id=CVE-2016-1000338"
    },
    {
      "name": "CVE-2025-13726",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-13726"
    },
    {
      "name": "CVE-2025-12383",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-12383"
    },
    {
      "name": "CVE-2016-1000342",
      "url": "https://www.cve.org/CVERecord?id=CVE-2016-1000342"
    },
    {
      "name": "CVE-2021-33813",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-33813"
    },
    {
      "name": "CVE-2025-13723",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-13723"
    },
    {
      "name": "CVE-2025-48976",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-48976"
    },
    {
      "name": "CVE-2022-24785",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
    },
    {
      "name": "CVE-2025-50059",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-50059"
    },
    {
      "name": "CVE-2025-30761",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30761"
    },
    {
      "name": "CVE-2025-13702",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-13702"
    },
    {
      "name": "CVE-2023-46233",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-46233"
    },
    {
      "name": "CVE-2015-5922",
      "url": "https://www.cve.org/CVERecord?id=CVE-2015-5922"
    },
    {
      "name": "CVE-2022-34169",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-34169"
    },
    {
      "name": "CVE-2022-25881",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-25881"
    },
    {
      "name": "CVE-2016-1000340",
      "url": "https://www.cve.org/CVERecord?id=CVE-2016-1000340"
    },
    {
      "name": "CVE-2025-30749",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30749"
    },
    {
      "name": "CVE-2025-41249",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-41249"
    },
    {
      "name": "CVE-2025-53057",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-53057"
    },
    {
      "name": "CVE-2025-14811",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-14811"
    },
    {
      "name": "CVE-2025-53066",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-53066"
    },
    {
      "name": "CVE-2025-48734",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-48734"
    }
  ],
  "initial_release_date": "2026-03-13T00:00:00",
  "last_revision_date": "2026-03-13T00:00:00",
  "links": [],
  "reference": "CERTFR-2026-AVI-0292",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-03-13T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": "2026-03-09",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7262893",
      "url": "https://www.ibm.com/support/pages/node/7262893"
    },
    {
      "published_at": "2026-03-10",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7263064",
      "url": "https://www.ibm.com/support/pages/node/7263064"
    },
    {
      "published_at": "2026-03-10",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7263063",
      "url": "https://www.ibm.com/support/pages/node/7263063"
    },
    {
      "published_at": "2026-03-10",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7263065",
      "url": "https://www.ibm.com/support/pages/node/7263065"
    },
    {
      "published_at": "2026-03-10",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7263060",
      "url": "https://www.ibm.com/support/pages/node/7263060"
    },
    {
      "published_at": "2026-03-12",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7263391",
      "url": "https://www.ibm.com/support/pages/node/7263391"
    },
    {
      "published_at": "2026-03-10",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7263061",
      "url": "https://www.ibm.com/support/pages/node/7263061"
    },
    {
      "published_at": "2026-03-09",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7262894",
      "url": "https://www.ibm.com/support/pages/node/7262894"
    },
    {
      "published_at": "2026-03-11",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7263211",
      "url": "https://www.ibm.com/support/pages/node/7263211"
    },
    {
      "published_at": "2026-03-10",
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7263059",
      "url": "https://www.ibm.com/support/pages/node/7263059"
    }
  ]
}

BDU:2020-02137

Vulnerability from fstec - Published: 22.07.2019

Title

Уязвимость функции initDocumentParser библиотеки планирования заданий Terracotta Quartz Scheduler, позволяющая нарушителю осуществить XXE-атаку

Description

Уязвимость функции initDocumentParser (xml/XMLSchedulingDataProcessor.java) библиотеки планирования заданий Terracotta Quartz Scheduler связана с неверным ограничением XML-ссылок на внешние объекты. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, осуществить XXE-атаку

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vendor

Oracle Corp., Red Hat Inc., ООО «РусБИТех-Астра», Novell Inc., Terracotta, Inc., АО "НППКТ"

Software Name

Retail Back Office, Retail Central Office, Retail Returns Management, Retail Point-of-Service, Fusion Middleware MapViewer, Primavera Unifier, Red Hat Virtualization, Oracle Retail Order Broker, Astra Linux Common Edition (запись в едином реестре российских программ №4433), Jboss Fuse, Red Hat Process Automation Manager, Red Hat Descision Manager, SUSE Linux Enterprise Module for SUSE Manager Server, SUSE Manager Server, Banking Enterprise Product Manufacturing, Oracle Banking Enterprise Originations, Quartz Scheduler, Enterprise Manager Ops Center, Oracle Communications Session Route Manager, Enterprise Manager Base Platform, Hyperion Infrastructure Technology, ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913)

Software Version

14.1 (Retail Back Office), 14.1 (Retail Central Office), 14.1 (Retail Returns Management), 14.1 (Retail Point-of-Service), 12.2.1.3.0 (Fusion Middleware MapViewer), 16.2 (Primavera Unifier), 16.1 (Primavera Unifier), 4 (Red Hat Virtualization), 15.0 (Oracle Retail Order Broker), 16.0 (Oracle Retail Order Broker), 2.12 «Орёл» (Astra Linux Common Edition), 7 (Jboss Fuse), 18.8 (Primavera Unifier), 7 (Red Hat Process Automation Manager), 7 (Red Hat Descision Manager), от 17.7 до 17.12 включительно (Primavera Unifier), 4.0 (SUSE Linux Enterprise Module for SUSE Manager Server), 3.2 (SUSE Manager Server), 18.0 (Oracle Retail Order Broker), 2.7.0 (Banking Enterprise Product Manufacturing), 2.8.0 (Banking Enterprise Product Manufacturing), 2.7.0 (Oracle Banking Enterprise Originations), 2.8.0 (Oracle Banking Enterprise Originations), до 2.3.2 (Quartz Scheduler), 19.0 (Oracle Retail Order Broker), 12.4.0.0 (Enterprise Manager Ops Center), от 8.2.0 до 8.2.2 включительно (Oracle Communications Session Route Manager), 13.2.1.0 (Enterprise Manager Base Platform), 11.1.2.4 (Hyperion Infrastructure Technology), до 2.4.2 (ОСОН ОСнова Оnyx)

Possible Mitigations

Использование рекомендаций: Для Quartz Scheduler: https://github.com/quartz-scheduler/quartz/issues/467 Для программных продуктов Novell Inc.: https://www.suse.com/security/cve/CVE-2019-13990/ Для программных продуктов Red Hat Inc.: https://access.redhat.com/security/cve/CVE-2019-13990 Для программных продуктов Oracle Corp.: https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://www.oracle.com/security-alerts/cpujan2021.html Для Astra Linux: Обновление программного обеспечения (пакета libquartz2-java) до 2.3.0-3 или более поздней версии Для ОСОН Основа: Обновление программного обеспечения libquartz2-java до версии 2.3.0-3

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-13990 https://github.com/quartz-scheduler/quartz/issues/467 https://www.suse.com/security/cve/CVE-2019-13990/ https://access.redhat.com/security/cve/CVE-2019-13990 https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://www.oracle.com/security-alerts/cpujan2021.html https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.4.2/

CWE

CWE-611

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Oracle Corp., Red Hat Inc., \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, Novell Inc., Terracotta, Inc., \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\"",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "14.1 (Retail Back Office), 14.1 (Retail Central Office), 14.1 (Retail Returns Management), 14.1 (Retail Point-of-Service), 12.2.1.3.0 (Fusion Middleware MapViewer), 16.2 (Primavera Unifier), 16.1 (Primavera Unifier), 4 (Red Hat Virtualization), 15.0 (Oracle Retail Order Broker), 16.0 (Oracle Retail Order Broker), 2.12 \u00ab\u041e\u0440\u0451\u043b\u00bb (Astra Linux Common Edition), 7 (Jboss Fuse), 18.8 (Primavera Unifier), 7 (Red Hat Process Automation Manager), 7 (Red Hat Descision Manager), \u043e\u0442 17.7 \u0434\u043e 17.12 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Primavera Unifier), 4.0 (SUSE Linux Enterprise Module for SUSE Manager Server), 3.2 (SUSE Manager Server), 18.0 (Oracle Retail Order Broker), 2.7.0 (Banking Enterprise Product Manufacturing), 2.8.0 (Banking Enterprise Product Manufacturing), 2.7.0 (Oracle Banking Enterprise Originations), 2.8.0 (Oracle Banking Enterprise Originations), \u0434\u043e 2.3.2 (Quartz Scheduler), 19.0 (Oracle Retail Order Broker), 12.4.0.0 (Enterprise Manager Ops Center), \u043e\u0442 8.2.0 \u0434\u043e 8.2.2 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Oracle Communications Session Route Manager), 13.2.1.0 (Enterprise Manager Base Platform), 11.1.2.4 (Hyperion Infrastructure Technology), \u0434\u043e 2.4.2 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Quartz Scheduler:\nhttps://github.com/quartz-scheduler/quartz/issues/467\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttps://www.suse.com/security/cve/CVE-2019-13990/\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/CVE-2019-13990\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Oracle Corp.:\nhttps://www.oracle.com/security-alerts/cpuapr2020.html\nhttps://www.oracle.com/security-alerts/cpuoct2020.html\nhttps://www.oracle.com/security-alerts/cpujan2021.html\n\n\u0414\u043b\u044f Astra Linux:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f (\u043f\u0430\u043a\u0435\u0442\u0430 libquartz2-java) \u0434\u043e 2.3.0-3 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0441\u043d\u043e\u0432\u0430:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f libquartz2-java \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 2.3.0-3",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "22.07.2019",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "17.10.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "15.05.2020",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2020-02137",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2019-13990",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Retail Back Office, Retail Central Office, Retail Returns Management, Retail Point-of-Service, Fusion Middleware MapViewer, Primavera Unifier, Red Hat Virtualization, Oracle Retail Order Broker, Astra Linux Common Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), Jboss Fuse, Red Hat Process Automation Manager, Red Hat Descision Manager, SUSE Linux Enterprise Module for SUSE Manager Server, SUSE Manager Server, Banking Enterprise Product Manufacturing, Oracle Banking Enterprise Originations, Quartz Scheduler, Enterprise Manager Ops Center, Oracle Communications Session Route Manager, Enterprise Manager Base Platform, Hyperion Infrastructure Technology, \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Common Edition 2.12 \u00ab\u041e\u0440\u0451\u043b\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 initDocumentParser \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u043f\u043b\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0437\u0430\u0434\u0430\u043d\u0438\u0439 Terracotta Quartz Scheduler, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0438\u0442\u044c XXE-\u0430\u0442\u0430\u043a\u0443",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0432\u0435\u0440\u043d\u043e\u0435 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 XML-\u0441\u0441\u044b\u043b\u043e\u043a \u043d\u0430 \u0432\u043d\u0435\u0448\u043d\u0438\u0435 \u043e\u0431\u044a\u0435\u043a\u0442\u044b (CWE-611)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 initDocumentParser (xml/XMLSchedulingDataProcessor.java) \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u043f\u043b\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0437\u0430\u0434\u0430\u043d\u0438\u0439 Terracotta Quartz Scheduler \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0432\u0435\u0440\u043d\u044b\u043c \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435\u043c XML-\u0441\u0441\u044b\u043b\u043e\u043a \u043d\u0430 \u0432\u043d\u0435\u0448\u043d\u0438\u0435 \u043e\u0431\u044a\u0435\u043a\u0442\u044b. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0438\u0442\u044c XXE-\u0430\u0442\u0430\u043a\u0443",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://nvd.nist.gov/vuln/detail/CVE-2019-13990\nhttps://github.com/quartz-scheduler/quartz/issues/467\nhttps://www.suse.com/security/cve/CVE-2019-13990/\nhttps://access.redhat.com/security/cve/CVE-2019-13990\nhttps://www.oracle.com/security-alerts/cpuapr2020.html\nhttps://www.oracle.com/security-alerts/cpuoct2020.html\nhttps://www.oracle.com/security-alerts/cpujan2021.html\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.4.2/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u041f\u041e \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438/\u041f\u041e \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430, \u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u041e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-611",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,8)"
}

CNVD-2020-22364

Vulnerability from cnvd - Published: 2020-04-12

Title

Terracotta Quartz Scheduler代码问题漏洞

Description

Terracotta Quartz Scheduler是一款开源的作业调度框架。 Terracotta Quartz Scheduler存在代码问题漏洞。该漏洞源于网络系统或产品的代码开发过程中存在设计或实现不当的问题。攻击者可通过作业描述利用该漏洞进行XXE攻击。

Severity

高

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： http://www.quartz-scheduler.org/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-13990

Impacted products

Name
Terracotta Quartz Scheduler Terracotta Quartz Scheduler <=2.3.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-13990",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-13990"
    }
  },
  "description": "Terracotta Quartz Scheduler\u662f\u4e00\u6b3e\u5f00\u6e90\u7684\u4f5c\u4e1a\u8c03\u5ea6\u6846\u67b6\u3002\n\nTerracotta Quartz Scheduler\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u7684\u4ee3\u7801\u5f00\u53d1\u8fc7\u7a0b\u4e2d\u5b58\u5728\u8bbe\u8ba1\u6216\u5b9e\u73b0\u4e0d\u5f53\u7684\u95ee\u9898\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u4f5c\u4e1a\u63cf\u8ff0\u5229\u7528\u8be5\u6f0f\u6d1e\u8fdb\u884cXXE\u653b\u51fb\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttp://www.quartz-scheduler.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-22364",
  "openTime": "2020-04-12",
  "products": {
    "product": "Terracotta Quartz Scheduler Terracotta Quartz Scheduler \u003c=2.3.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-13990",
  "serverity": "\u9ad8",
  "submitTime": "2019-07-29",
  "title": "Terracotta Quartz Scheduler\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e"
}

FKIE_CVE-2019-13990

Vulnerability from fkie_nvd - Published: 2019-07-26 19:15 - Updated: 2024-11-21 04:25

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

References

URL	Tags
cve@mitre.org	https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html	Third Party Advisory
cve@mitre.org	https://github.com/quartz-scheduler/quartz/issues/467	Issue Tracking, Third Party Advisory
cve@mitre.org	https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E	Third Party Advisory
cve@mitre.org	https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E	Issue Tracking
cve@mitre.org	https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E	Issue Tracking
cve@mitre.org	https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E	Issue Tracking
cve@mitre.org	https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E	Patch
cve@mitre.org	https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E	Patch
cve@mitre.org	https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E	Issue Tracking
cve@mitre.org	https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E	Issue Tracking
cve@mitre.org	https://security.netapp.com/advisory/ntap-20221028-0002/	Third Party Advisory
cve@mitre.org	https://www.oracle.com//security-alerts/cpujul2021.html	Third Party Advisory
cve@mitre.org	https://www.oracle.com/security-alerts/cpuapr2020.html	Third Party Advisory
cve@mitre.org	https://www.oracle.com/security-alerts/cpujan2021.html	Third Party Advisory
cve@mitre.org	https://www.oracle.com/security-alerts/cpujul2020.html	Third Party Advisory
cve@mitre.org	https://www.oracle.com/security-alerts/cpuoct2020.html	Third Party Advisory
cve@mitre.org	https://www.oracle.com/security-alerts/cpuoct2021.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/quartz-scheduler/quartz/issues/467	Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E	Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E	Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E	Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E	Patch
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E	Patch
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E	Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E	Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20221028-0002/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com//security-alerts/cpujul2021.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/security-alerts/cpuapr2020.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/security-alerts/cpujan2021.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/security-alerts/cpujul2020.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/security-alerts/cpuoct2020.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/security-alerts/cpuoct2021.html	Third Party Advisory

Impacted products

Vendor	Product	Version
softwareag	quartz	*
oracle	apache_batik_mapviewer	12.2.0.1
oracle	apache_batik_mapviewer	18c
oracle	apache_batik_mapviewer	19c
oracle	banking_enterprise_originations	2.7.0
oracle	banking_enterprise_originations	2.8.0
oracle	banking_enterprise_product_manufacturing	2.7.0
oracle	banking_enterprise_product_manufacturing	2.8.0
oracle	banking_payments	*
oracle	communications_ip_service_activator	7.3.0
oracle	communications_ip_service_activator	7.4.0
oracle	communications_session_route_manager	*
oracle	customer_management_and_segmentation_foundation	18.0
oracle	documaker	*
oracle	enterprise_manager_base_platform	13.2.1.0
oracle	enterprise_manager_ops_center	12.4.0.0
oracle	flexcube_investor_servicing	12.1.0
oracle	flexcube_investor_servicing	12.3.0
oracle	flexcube_investor_servicing	12.4.0
oracle	flexcube_investor_servicing	14.1.0
oracle	flexcube_investor_servicing	14.4.0
oracle	flexcube_private_banking	12.0.0
oracle	flexcube_private_banking	12.1.0
oracle	fusion_middleware_mapviewer	12.2.1.3.0
oracle	google_guava_mapviewer	12.2.0.1
oracle	google_guava_mapviewer	18c
oracle	google_guava_mapviewer	19c
oracle	hyperion_infrastructure_technology	11.1.2.4
oracle	jd_edwards_enterpriseone_orchestrator	*
oracle	primavera_unifier	*
oracle	primavera_unifier	16.1
oracle	primavera_unifier	16.2
oracle	primavera_unifier	18.8
oracle	retail_back_office	14.1
oracle	retail_central_office	14.1
oracle	retail_integration_bus	15.0
oracle	retail_integration_bus	16.0
oracle	retail_order_broker	15.0
oracle	retail_order_broker	16.0
oracle	retail_order_broker	18.0
oracle	retail_order_broker	19.0
oracle	retail_point-of-service	14.1
oracle	retail_returns_management	14.1
oracle	retail_xstore_point_of_service	15.0
oracle	retail_xstore_point_of_service	16.0
oracle	retail_xstore_point_of_service	17.0
oracle	retail_xstore_point_of_service	18.0
oracle	retail_xstore_point_of_service	19.0
oracle	terracotta_quartz_scheduler_mapviewer	12.2.0.1
oracle	terracotta_quartz_scheduler_mapviewer	18c
oracle	terracotta_quartz_scheduler_mapviewer	19c
oracle	webcenter_sites	12.2.1.3.0
oracle	webcenter_sites	12.2.1.4.0
apache	tomee	7.1.3
netapp	active_iq_unified_manager	-
netapp	active_iq_unified_manager	-
netapp	active_iq_unified_manager	-
netapp	cloud_secure_agent	-
atlassian	jira_service_management	4.20.0
atlassian	jira_service_management	4.20.0
atlassian	jira_service_management	4.20.1
atlassian	jira_service_management	4.20.1
atlassian	jira_service_management	4.20.2
atlassian	jira_service_management	4.20.2
atlassian	jira_service_management	4.20.3
atlassian	jira_service_management	4.20.3
atlassian	jira_service_management	4.20.4
atlassian	jira_service_management	4.20.4
atlassian	jira_service_management	4.20.5
atlassian	jira_service_management	4.20.5
atlassian	jira_service_management	4.20.6
atlassian	jira_service_management	4.20.6
atlassian	jira_service_management	4.20.7
atlassian	jira_service_management	4.20.7
atlassian	jira_service_management	4.20.8
atlassian	jira_service_management	4.20.8
atlassian	jira_service_management	4.20.9
atlassian	jira_service_management	4.20.9
atlassian	jira_service_management	4.20.10
atlassian	jira_service_management	4.20.10
atlassian	jira_service_management	4.20.11
atlassian	jira_service_management	4.20.11
atlassian	jira_service_management	4.20.12
atlassian	jira_service_management	4.20.12
atlassian	jira_service_management	4.20.13
atlassian	jira_service_management	4.20.13
atlassian	jira_service_management	4.20.14
atlassian	jira_service_management	4.20.14
atlassian	jira_service_management	4.20.15
atlassian	jira_service_management	4.20.15
atlassian	jira_service_management	4.20.16
atlassian	jira_service_management	4.20.16
atlassian	jira_service_management	4.20.17
atlassian	jira_service_management	4.20.17
atlassian	jira_service_management	4.20.18
atlassian	jira_service_management	4.20.18
atlassian	jira_service_management	4.20.19
atlassian	jira_service_management	4.20.19
atlassian	jira_service_management	4.20.20
atlassian	jira_service_management	4.20.20
atlassian	jira_service_management	4.20.21
atlassian	jira_service_management	4.20.21
atlassian	jira_service_management	4.20.22
atlassian	jira_service_management	4.20.22
atlassian	jira_service_management	4.20.23
atlassian	jira_service_management	4.20.23
atlassian	jira_service_management	4.20.24
atlassian	jira_service_management	4.20.24
atlassian	jira_service_management	4.20.25
atlassian	jira_service_management	4.20.25
atlassian	jira_service_management	4.21.0
atlassian	jira_service_management	4.21.0
atlassian	jira_service_management	4.21.1
atlassian	jira_service_management	4.21.1
atlassian	jira_service_management	4.22.0
atlassian	jira_service_management	4.22.0
atlassian	jira_service_management	4.22.1
atlassian	jira_service_management	4.22.1
atlassian	jira_service_management	4.22.2
atlassian	jira_service_management	4.22.2
atlassian	jira_service_management	4.22.3
atlassian	jira_service_management	4.22.3
atlassian	jira_service_management	4.22.4
atlassian	jira_service_management	4.22.4
atlassian	jira_service_management	4.22.6
atlassian	jira_service_management	4.22.6
atlassian	jira_service_management	5.0.0
atlassian	jira_service_management	5.0.0
atlassian	jira_service_management	5.1.0
atlassian	jira_service_management	5.1.0
atlassian	jira_service_management	5.1.1
atlassian	jira_service_management	5.1.1
atlassian	jira_service_management	5.2.0
atlassian	jira_service_management	5.2.0
atlassian	jira_service_management	5.2.1
atlassian	jira_service_management	5.2.1
atlassian	jira_service_management	5.3.0
atlassian	jira_service_management	5.3.0
atlassian	jira_service_management	5.3.1
atlassian	jira_service_management	5.3.1
atlassian	jira_service_management	5.3.2
atlassian	jira_service_management	5.3.2
atlassian	jira_service_management	5.3.3
atlassian	jira_service_management	5.3.3
atlassian	jira_service_management	5.4.0
atlassian	jira_service_management	5.4.0
atlassian	jira_service_management	5.4.1
atlassian	jira_service_management	5.4.1
atlassian	jira_service_management	5.4.2
atlassian	jira_service_management	5.4.2
atlassian	jira_service_management	5.4.3
atlassian	jira_service_management	5.4.3
atlassian	jira_service_management	5.4.4
atlassian	jira_service_management	5.4.4
atlassian	jira_service_management	5.4.5
atlassian	jira_service_management	5.4.5
atlassian	jira_service_management	5.4.6
atlassian	jira_service_management	5.4.6
atlassian	jira_service_management	5.4.7
atlassian	jira_service_management	5.4.7
atlassian	jira_service_management	5.4.8
atlassian	jira_service_management	5.4.8
atlassian	jira_service_management	5.4.9
atlassian	jira_service_management	5.4.9
atlassian	jira_service_management	5.5.1
atlassian	jira_service_management	5.5.1
atlassian	jira_service_management	5.6.0
atlassian	jira_service_management	5.6.0
atlassian	jira_service_management	5.7.0
atlassian	jira_service_management	5.7.0
atlassian	jira_service_management	5.7.1
atlassian	jira_service_management	5.7.1
atlassian	jira_service_management	5.8.0
atlassian	jira_service_management	5.8.0
atlassian	jira_service_management	5.8.1
atlassian	jira_service_management	5.8.1
atlassian	jira_service_management	5.9.0
atlassian	jira_service_management	5.9.0
atlassian	jira_service_management	5.10.0
atlassian	jira_service_management	5.10.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:softwareag:quartz:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "45E3B3FD-2210-4419-86E7-0365320383F7",
              "versionEndExcluding": "2.3.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:apache_batik_mapviewer:12.2.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "03B8033B-C2A4-47A2-88F0-ED2BF8962518",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:apache_batik_mapviewer:18c:*:*:*:*:*:*:*",
              "matchCriteriaId": "4B1124B6-CECC-4D4D-A8D5-F05928A545AB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:apache_batik_mapviewer:19c:*:*:*:*:*:*:*",
              "matchCriteriaId": "3BE19D2D-0789-4925-BC87-DC3A4C063FBF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_enterprise_originations:2.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7AB8ABFD-C72C-4CBB-8872-9440A19154D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_enterprise_originations:2.8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3054FEBB-484B-4927-9D1C-2024772E8B3D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5AED3C78-7D65-4F02-820D-B51BCE4022F9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "557A23A1-4762-4D29-A478-D1670C1847D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:banking_payments:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2FF46C9A-7768-4E52-A676-BEA6AE766AD4",
              "versionEndIncluding": "14.4.0",
              "versionStartIncluding": "14.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DE48E0FE-5931-441C-B4FF-253BD9C48186",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DE7A60DB-A287-4E61-8131-B6314007191B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "11B0C37E-D7C7-45F2-A8D8-5A3B1B191430",
              "versionEndIncluding": "8.2.2",
              "versionStartIncluding": "8.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "727DF4F5-3D21-491E-96B9-EC973A6C9C18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "135D531C-A692-4BE3-AB8C-37BB0D35559A",
              "versionEndIncluding": "12.6.4",
              "versionStartIncluding": "12.6.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "66916DEB-ACE1-44E0-9535-10B3E03347AC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B095CC03-7077-4A58-AB25-CC5380CDCE5A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "21BE77B2-6368-470E-B9E6-21664D9A818A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3250073F-325A-4AFC-892F-F2005E3854A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0DDDC9C2-33D6-4123-9ABC-C9B809A6E88E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:14.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A69266D2-72D0-4A6C-883D-2597FE30931B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:14.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "524429D6-8AF1-4713-A9B8-678B50A3762F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6762F207-93C7-4363-B2F9-7A7C6F8AF993",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1B74B912-152D-4F38-9FC1-741D6D0B27FC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "06E586B3-3434-4B08-8BE3-16C528642CA5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:google_guava_mapviewer:12.2.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "0CCA59D2-2853-44F3-9C5C-CC59B49A6B69",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:google_guava_mapviewer:18c:*:*:*:*:*:*:*",
              "matchCriteriaId": "779EB0EC-2905-48BC-B375-E6E78B26A169",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:google_guava_mapviewer:19c:*:*:*:*:*:*:*",
              "matchCriteriaId": "E19C4DBE-2889-4C13-A0E9-30D0CD1BF714",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "DED59B62-C9BF-4C0E-B351-3884E8441655",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B2A0A4A6-70D3-418B-80EA-04718C50C500",
              "versionEndIncluding": "9.2.5.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "08FA59A8-6A62-4B33-8952-D6E658F8DAC9",
              "versionEndIncluding": "17.12",
              "versionStartIncluding": "17.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D55A54FD-7DD1-49CD-BE81-0BE73990943C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "82EB08C0-2D46-4635-88DF-E54F6452D3A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "202AD518-2E9B-4062-B063-9858AE1F9CE2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0735989-13BD-40B3-B954-AC0529C5B53D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "58405263-E84C-4071-BB23-165D49034A00",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "42064F46-3012-4FB1-89BA-F13C2E4CBB6B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F73E2EFA-0F43-4D92-8C7D-9E66811B76D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "EE8CF045-09BB-4069-BCEC-496D5AE3B780",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "38E74E68-7F19-4EF3-AC00-3C249EAAA39E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0783F0D1-8FAC-4BCA-A6F5-C5C60E86D56D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_order_broker:19.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "BFB0BB58-04D3-409D-AECC-9633782F0E75",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "E13DF2AE-F315-4085-9172-6C8B21AF1C9E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "BDB925C6-2CBC-4D88-B9EA-F246F4F7A206",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "11DA6839-849D-4CEF-85F3-38FE75E07183",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "BCE78490-A4BE-40BD-8C72-0A4526BBD4A4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "55AE3629-4A66-49E4-A33D-6D81CC94962F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4CB39A1A-AD29-45DD-9EB5-5E2053A01B9A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "27C26705-6D1F-4D5E-B64D-B479108154FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:12.2.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "7E75624C-68FA-465C-86B3-BCFB649C4782",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:18c:*:*:*:*:*:*:*",
              "matchCriteriaId": "6B7DF2FA-F290-40F7-ABD1-AB50EEBC83B5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:19c:*:*:*:*:*:*:*",
              "matchCriteriaId": "E4D4E5C1-D4A6-464D-9DF3-A9DDD1912FBB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D551CAB1-4312-44AA-BDA8-A030817E153A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "174A6D2E-E42E-4C92-A194-C6A820CD7EF4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:tomee:7.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E74771B8-99DA-434F-ADCF-258838674E18",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
              "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
              "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
              "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0F202E8-97E6-4BBB-A0B6-4CA3F5803C08",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.0:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "E70C8416-E4F6-44BC-BDF9-BB1BAE7E185F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.0:*:*:*:server:*:*:*",
              "matchCriteriaId": "1363F683-E350-4639-A973-A82BDD83A3A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.1:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "7BAB5016-8439-4E01-8911-8B472EF38E13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.1:*:*:*:server:*:*:*",
              "matchCriteriaId": "F8EF8DCE-7266-49B1-AE2E-96079A2AD6E7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.2:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "029B8E7F-65EF-4984-A27B-8198D8EB18DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.2:*:*:*:server:*:*:*",
              "matchCriteriaId": "55C7B96B-2A2F-47F9-BBBD-0E25F8AF8F02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.3:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "160B6A9E-41DC-4999-B3CC-A16B3A16D2A4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.3:*:*:*:server:*:*:*",
              "matchCriteriaId": "FC59154D-036C-4F22-B5F1-891527A3EC6B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.4:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "6AD2CA00-9D6C-4DAC-90E6-BE1D93555C11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.4:*:*:*:server:*:*:*",
              "matchCriteriaId": "2FDF2DF4-B0EE-4179-AF98-B21EBB2E1D6F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.5:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "AF85E227-F167-4CCB-A039-D96CC080B032",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.5:*:*:*:server:*:*:*",
              "matchCriteriaId": "EDA3B2B5-C9EA-4D26-AEF4-F86792FB9ADC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.6:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "93DDAE6E-DB31-429A-B4EB-955E080A4545",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.6:*:*:*:server:*:*:*",
              "matchCriteriaId": "DF994E6C-6262-4230-BBC6-E464EBC1B0F9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.7:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "25DA87CA-362C-4558-AA42-265DA1F8C26D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.7:*:*:*:server:*:*:*",
              "matchCriteriaId": "EF410408-CD38-408A-97C4-1103EF8AF68D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.8:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "037D6CB0-959B-468E-87DD-8B1110A14ED0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.8:*:*:*:server:*:*:*",
              "matchCriteriaId": "1B885DB6-2DEA-4EB4-97BC-2BF30BC45544",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.9:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "C83E3571-CD54-40A2-AAC0-20F67954642B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.9:*:*:*:server:*:*:*",
              "matchCriteriaId": "B69320FF-4E93-475C-B995-85CF1A03DBDA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.10:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "FD430022-C74D-4340-88F9-21AB69485966",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.10:*:*:*:server:*:*:*",
              "matchCriteriaId": "549E2860-25D9-468C-891D-AD9BEADA08B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.11:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "5C03D422-521C-48B2-B293-247232D1ED3C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.11:*:*:*:server:*:*:*",
              "matchCriteriaId": "2B0DBCC1-2D1F-4DB3-A693-DA0FA18B9A5E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.12:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "34515441-AE13-4492-A08E-6521D840F689",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.12:*:*:*:server:*:*:*",
              "matchCriteriaId": "6FABE527-FED5-4BA3-ABF0-C89AD1228ED2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.13:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "6BE5E85B-7725-4DB9-8357-9097F777705D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.13:*:*:*:server:*:*:*",
              "matchCriteriaId": "910A2B29-3502-499B-892F-F6AD473CA6F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.14:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "2BAB1FDD-C213-48CB-B28B-802F0D1278A7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.14:*:*:*:server:*:*:*",
              "matchCriteriaId": "59D09ED0-E31D-4C6B-A217-A3C58C209782",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.15:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "746CCD4F-5411-4249-8A71-A47AD598498A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.15:*:*:*:server:*:*:*",
              "matchCriteriaId": "A055705E-4F63-4EB9-BABC-8888041D1E1F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.16:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "AFA32156-893E-44A7-9F18-73586F2E21AB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.16:*:*:*:server:*:*:*",
              "matchCriteriaId": "631D10DC-9F03-4BEE-98DD-0759746825A2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.17:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "AFAC053F-3A53-4AD8-9393-49A837A38A8C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.17:*:*:*:server:*:*:*",
              "matchCriteriaId": "FE355EB5-A0C4-471C-8E47-1898746D89C6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.18:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "CC230B1E-AA5E-4E76-92E5-41130C56DD34",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.18:*:*:*:server:*:*:*",
              "matchCriteriaId": "B764FD56-DBFF-46EE-9108-CF88591DC7A2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.19:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "3F369AD5-25DB-43E4-ADB5-22A774FC6F91",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.19:*:*:*:server:*:*:*",
              "matchCriteriaId": "454804E1-9C4C-41AA-ACB4-0150BB39669C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.20:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "79A73328-B3BF-4682-9B60-12A4039F9D1E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.20:*:*:*:server:*:*:*",
              "matchCriteriaId": "2A75238E-A82C-4BE9-8300-2BE8B40C31CD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.21:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "1E7B8908-7F72-495B-B562-81E789643A60",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.21:*:*:*:server:*:*:*",
              "matchCriteriaId": "55A04426-7D52-4F90-9623-109F201223AC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.22:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "2CC10DC7-1B0B-41E6-B903-DC7E59F68517",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.22:*:*:*:server:*:*:*",
              "matchCriteriaId": "E7A19BC6-3F2B-4248-8255-BBA729F941C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.23:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "DC4936AD-0B95-4687-B0A8-290E76D3ED7C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.23:*:*:*:server:*:*:*",
              "matchCriteriaId": "33A3BC88-F6CC-4CDD-8842-2DC5C4706AC3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.24:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "AE05DF9B-2F49-45E9-AB47-A5FA18B6847E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.24:*:*:*:server:*:*:*",
              "matchCriteriaId": "29F7D306-FC7F-4748-BC1D-6280654B8409",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.25:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "C82EA42D-1583-4B6D-840E-69B804BD2902",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.25:*:*:*:server:*:*:*",
              "matchCriteriaId": "22D1EEB6-D4D1-46FC-BB60-CF33EE970E43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.21.0:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "F1992CBB-135C-4CD7-8D9B-037EEE0530BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.21.0:*:*:*:server:*:*:*",
              "matchCriteriaId": "D8232A74-B1DA-48DD-9DF1-4D04F6091BE3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.21.1:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "F81B63AA-1086-448A-8D60-F5CF41BB1226",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.21.1:*:*:*:server:*:*:*",
              "matchCriteriaId": "2B8BBC24-532A-46AB-9D7D-241C43082E95",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.0:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "F629DC1E-E044-4D84-8D60-B4E6C139EE98",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.0:*:*:*:server:*:*:*",
              "matchCriteriaId": "4BDBC59C-C5C7-4848-8CCA-D4DF0354BFCA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.1:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "D2E75D91-EC8E-4BAC-B989-403120F84BAC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.1:*:*:*:server:*:*:*",
              "matchCriteriaId": "FEA2A29A-D2AA-4688-888D-02923EEBFF4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.2:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "93EEA37B-7E96-455D-9131-2CDB77889080",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.2:*:*:*:server:*:*:*",
              "matchCriteriaId": "71D2DC08-B93D-474B-9332-793A47E0A792",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.3:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "9263586C-D6A5-48F4-8F36-F672377AAFAD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.3:*:*:*:server:*:*:*",
              "matchCriteriaId": "01F142BF-C557-4D27-A263-0A77D3FBAA27",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.4:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "BC250698-AA6D-46FC-923D-9A3EB0742697",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.4:*:*:*:server:*:*:*",
              "matchCriteriaId": "755B605C-E032-435B-90C3-FEB1EEBD43E7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.6:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "728DE946-60C8-433A-807B-45720C668B37",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.6:*:*:*:server:*:*:*",
              "matchCriteriaId": "F24C4029-A2D5-4B95-AE2B-10B035B28420",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.0.0:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "52672DE1-9B0D-4689-93AD-FF4B8A59E5EC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.0.0:*:*:*:server:*:*:*",
              "matchCriteriaId": "D802B4FE-F56F-46C4-A84B-EB89931EC16E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.1.0:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "17E30F04-14EF-4F4D-8124-D0DD04E9EDF9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.1.0:*:*:*:server:*:*:*",
              "matchCriteriaId": "538503C1-F947-4BCF-836F-A609A601E064",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.1.1:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "07105957-FEBE-4E02-88FB-A8DDAE67E8A9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.1.1:*:*:*:server:*:*:*",
              "matchCriteriaId": "E40B10B9-F8C3-4279-A9AC-2E25AEF46D7A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.2.0:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "C7D685CD-9CAD-42B5-B721-26203854F396",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.2.0:*:*:*:server:*:*:*",
              "matchCriteriaId": "269B2F72-56A3-4750-8665-7DE03DAE3DAA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.2.1:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "C600291E-2EDC-4F61-9FC1-C2C34C20EA4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.2.1:*:*:*:server:*:*:*",
              "matchCriteriaId": "C8D33E70-8A27-46A2-BB14-87181F8DA0F3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.3.0:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "F09CAEB7-4C1F-4B5B-9921-6DD06FF9EB9D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.3.0:*:*:*:server:*:*:*",
              "matchCriteriaId": "7E9F4E2A-E450-496C-B3E8-B0817BAD8817",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.3.1:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "964CB4B7-1502-4E92-B7D2-D864C13E338B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.3.1:*:*:*:server:*:*:*",
              "matchCriteriaId": "A9EFBC53-7C0B-408E-A745-0C83E9E38DAD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.3.2:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "18A70517-84A8-4866-9FE8-06D0608391E4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.3.2:*:*:*:server:*:*:*",
              "matchCriteriaId": "E504A879-B312-4E8F-ADF9-8C1623B023AE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.3.3:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "9EE1449F-6F38-4677-9DB9-AF2D9A7C2AE2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.3.3:*:*:*:server:*:*:*",
              "matchCriteriaId": "2BC5B994-25C4-4C00-8871-F3664878C83B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.0:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "4484C6ED-659F-47F5-BFE2-7E9794FA51C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.0:*:*:*:server:*:*:*",
              "matchCriteriaId": "F4449121-125E-49D9-BF3E-2A6EA169B796",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.1:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "C940817F-B265-4F42-AE19-DA2B49AC1D53",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.1:*:*:*:server:*:*:*",
              "matchCriteriaId": "099869F1-BC95-4828-A0F5-9BBADDC3F6F3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.2:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "601B5811-B1B8-4FF0-984B-62F07366615A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.2:*:*:*:server:*:*:*",
              "matchCriteriaId": "0D82DFCD-964E-406E-8329-E31A76FCFC64",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.3:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "ED8B7E12-9139-4BCB-9A5A-C8B23A6F8628",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.3:*:*:*:server:*:*:*",
              "matchCriteriaId": "08F237B7-4C22-4A35-BC82-6B6E892B7EB3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.4:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "0EC83F47-180C-481B-88A8-0E3C6654774C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.4:*:*:*:server:*:*:*",
              "matchCriteriaId": "2A3EA15F-DEBB-44A2-8CEA-B137AE8089CA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.5:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "428B70AC-35A2-4D4F-9670-43B601426DD3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.5:*:*:*:server:*:*:*",
              "matchCriteriaId": "6314E670-88E8-4B09-9AF4-95E669A68A5A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.6:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "4486E929-E1A8-4731-BE7E-A8BCCE594ADA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.6:*:*:*:server:*:*:*",
              "matchCriteriaId": "D24437F8-2B3A-4A0D-8C6C-A8B9E90457DB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.7:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "06843035-CE98-48C8-BCB1-02976D233077",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.7:*:*:*:server:*:*:*",
              "matchCriteriaId": "B98060AC-32A2-4F5A-A490-3E23F883D5A7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.8:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "9681965F-AD13-420C-8845-A544520042DF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.8:*:*:*:server:*:*:*",
              "matchCriteriaId": "C9D2A5F2-F91C-4DA3-9EB6-441D17A6AB9F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.9:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "6F3F93E1-8BB2-40BD-B4A9-D4136B742F82",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.9:*:*:*:server:*:*:*",
              "matchCriteriaId": "549B3ADB-BAEF-4E45-856C-4B07F9FBB12A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.5.1:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "941AD6CA-3F4E-43E5-AA68-95AB7C84F297",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.5.1:*:*:*:server:*:*:*",
              "matchCriteriaId": "4630E46A-817F-4238-989F-93C633A10058",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.6.0:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "25D8E4A5-2AB6-42D4-B6D4-54484149BE75",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.6.0:*:*:*:server:*:*:*",
              "matchCriteriaId": "9BA9FF1F-8F8C-47DD-9E7B-8B48FB453A83",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.7.0:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "D28343BD-5440-425E-AFEB-FC79EFB3C531",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.7.0:*:*:*:server:*:*:*",
              "matchCriteriaId": "F29E98F7-4768-48C8-9D1C-448006DF0FFE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.7.1:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "E8B3B4C6-4E76-4184-BE92-A6EF2B4CB8D2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.7.1:*:*:*:server:*:*:*",
              "matchCriteriaId": "1320F61E-A562-438E-A19D-90C816920B63",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.8.0:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "35D28C45-8C74-4131-A2C5-1F1CE009BDED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.8.0:*:*:*:server:*:*:*",
              "matchCriteriaId": "64D7B52D-46CA-4769-9631-9E3E45927003",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.8.1:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "027F98AD-B508-4079-A1BD-EFDBDBA78331",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.8.1:*:*:*:server:*:*:*",
              "matchCriteriaId": "D80A8C83-C8B1-4ADF-B45B-550E6BA45AEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.9.0:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "54EB831D-3D4C-4807-AF42-DFF7D9176773",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.9.0:*:*:*:server:*:*:*",
              "matchCriteriaId": "031A34D6-C522-4301-BE02-83D3BADC8C7E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.10.0:*:*:*:data_center:*:*:*",
              "matchCriteriaId": "109D37D3-3FC7-4443-974A-7D668ABE97D9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.10.0:*:*:*:server:*:*:*",
              "matchCriteriaId": "30D20E35-0BAC-4D43-A619-10B6A4572CBB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description."
    },
    {
      "lang": "es",
      "value": "La funci\u00f3n initDocumentParser en el archivo xml/XMLSchedulingDataProcessor.java en Quartz Scheduler de Terracotta hasta la versi\u00f3n 2.3.0, permite ataques de tipo XXE por medio de una descripci\u00f3n del trabajo."
    }
  ],
  "id": "CVE-2019-13990",
  "lastModified": "2024-11-21T04:25:50.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2019-07-26T19:15:11.730",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://github.com/quartz-scheduler/quartz/issues/467"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20221028-0002/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://github.com/quartz-scheduler/quartz/issues/467"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20221028-0002/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

GHSA-9QCF-C26R-X5RF

Vulnerability from github – Published: 2020-07-01 17:55 – Updated: 2024-10-15 23:33

Summary

XML external entity injection in Terracotta Quartz Scheduler

Details

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.quartz-scheduler:quartz"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-13990"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-07-01T17:54:54Z",
    "nvd_published_at": "2019-07-26T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.",
  "id": "GHSA-9qcf-c26r-x5rf",
  "modified": "2024-10-15T23:33:04Z",
  "published": "2020-07-01T17:55:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13990"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quartz-scheduler/quartz/issues/467"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quartz-scheduler/quartz/pull/501"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quartz-scheduler/quartz/commit/13c1d45aa1db15d0fa0e4997139c99ba219be551"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a@%3Ccommits.tomee.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf@%3Ccommits.tomee.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa@%3Ccommits.tomee.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20221028-0002"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGQUARTZSCHEDULER-461170"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf@%3Ccommits.tomee.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629@%3Cdev.tomee.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949@%3Cdev.tomee.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3@%3Cdev.tomee.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82@%3Cdev.tomee.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/quartz-scheduler/quartz"
    },
    {
      "type": "WEB",
      "url": "https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML external entity injection in Terracotta Quartz Scheduler"
}

GSD-2019-13990

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.

Aliases

CVE-2019-13990

Aliases

CVE-2019-13990

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-13990",
    "description": "initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.",
    "id": "GSD-2019-13990",
    "references": [
      "https://www.suse.com/security/cve/CVE-2019-13990.html",
      "https://access.redhat.com/errata/RHSA-2020:5568",
      "https://access.redhat.com/errata/RHSA-2020:3247",
      "https://access.redhat.com/errata/RHSA-2020:3197",
      "https://access.redhat.com/errata/RHSA-2020:3196",
      "https://advisories.mageia.org/CVE-2019-13990.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-13990"
      ],
      "details": "initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.",
      "id": "GSD-2019-13990",
      "modified": "2023-12-13T01:23:41.093123Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2019-13990",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "[tomee-dev] 20190830 Re: Quartz CVE-2019-13990",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629@%3Cdev.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-dev] 20190830 Quartz CVE-2019-13990",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3@%3Cdev.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-dev] 20190908 Re: Quartz CVE-2019-13990",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949@%3Cdev.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-commits] 20190908 svn commit: r1866633 - /tomee/deps/trunk/quartz-openejb-shade/pom.xml",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf@%3Ccommits.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-dev] 20190923 Re: [VOTE] Release quartz-openejb-shade 2.2.4",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82@%3Cdev.tomee.apache.org%3E"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpuapr2020.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpujul2020.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          },
          {
            "name": "https://github.com/quartz-scheduler/quartz/issues/467",
            "refsource": "MISC",
            "url": "https://github.com/quartz-scheduler/quartz/issues/467"
          },
          {
            "name": "[tomee-commits] 20200720 [jira] [Created] (TOMEE-2886) Update quartz-scheduler to mitigate CVE-2019-13990",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa@%3Ccommits.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-commits] 20200720 [jira] [Commented] (TOMEE-2886) Update quartz-scheduler to mitigate CVE-2019-13990",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf@%3Ccommits.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-commits] 20200720 [jira] [Assigned] (TOMEE-2886) Update quartz-scheduler to mitigate CVE-2019-13990",
            "refsource": "MLIST",
            "url": "https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a@%3Ccommits.tomee.apache.org%3E"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          },
          {
            "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20221028-0002/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20221028-0002/"
          },
          {
            "name": "https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html",
            "refsource": "MISC",
            "url": "https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,2.3.1]",
          "affected_versions": "All versions up to 2.3.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-611",
            "CWE-937"
          ],
          "date": "2019-09-23",
          "description": "`initDocumentParser` in `xml/XMLSchedulingDataProcessor.java` in Terracotta Quartz Scheduler allows XXE attacks via a job description.",
          "fixed_versions": [
            "2.3.2"
          ],
          "identifier": "CVE-2019-13990",
          "identifiers": [
            "CVE-2019-13990"
          ],
          "not_impacted": "All versions after 2.3.1",
          "package_slug": "maven/org.quartz-scheduler/quartz",
          "pubdate": "2019-07-26",
          "solution": "Upgrade to version 2.3.2 or above.",
          "title": "Improper Restriction of XML External Entity Reference",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-13990"
          ],
          "uuid": "5c10fe2a-2eec-4363-97c2-deae03278d85"
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:softwareag:quartz:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "45E3B3FD-2210-4419-86E7-0365320383F7",
                    "versionEndExcluding": "2.3.2",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:oracle:apache_batik_mapviewer:12.2.0.1:*:*:*:*:*:*:*",
                    "matchCriteriaId": "03B8033B-C2A4-47A2-88F0-ED2BF8962518",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:apache_batik_mapviewer:18c:*:*:*:*:*:*:*",
                    "matchCriteriaId": "4B1124B6-CECC-4D4D-A8D5-F05928A545AB",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:apache_batik_mapviewer:19c:*:*:*:*:*:*:*",
                    "matchCriteriaId": "3BE19D2D-0789-4925-BC87-DC3A4C063FBF",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:banking_enterprise_originations:2.7.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "7AB8ABFD-C72C-4CBB-8872-9440A19154D6",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:banking_enterprise_originations:2.8.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "3054FEBB-484B-4927-9D1C-2024772E8B3D",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.7.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "5AED3C78-7D65-4F02-820D-B51BCE4022F9",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:banking_enterprise_product_manufacturing:2.8.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "557A23A1-4762-4D29-A478-D1670C1847D3",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:banking_payments:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "2FF46C9A-7768-4E52-A676-BEA6AE766AD4",
                    "versionEndIncluding": "14.4.0",
                    "versionStartIncluding": "14.1.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "DE48E0FE-5931-441C-B4FF-253BD9C48186",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "DE7A60DB-A287-4E61-8131-B6314007191B",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "11B0C37E-D7C7-45F2-A8D8-5A3B1B191430",
                    "versionEndIncluding": "8.2.2",
                    "versionStartIncluding": "8.2.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "727DF4F5-3D21-491E-96B9-EC973A6C9C18",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "135D531C-A692-4BE3-AB8C-37BB0D35559A",
                    "versionEndIncluding": "12.6.4",
                    "versionStartIncluding": "12.6.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.1.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "66916DEB-ACE1-44E0-9535-10B3E03347AC",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "B095CC03-7077-4A58-AB25-CC5380CDCE5A",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "21BE77B2-6368-470E-B9E6-21664D9A818A",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "3250073F-325A-4AFC-892F-F2005E3854A5",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "0DDDC9C2-33D6-4123-9ABC-C9B809A6E88E",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:14.1.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "A69266D2-72D0-4A6C-883D-2597FE30931B",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:14.4.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "524429D6-8AF1-4713-A9B8-678B50A3762F",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "6762F207-93C7-4363-B2F9-7A7C6F8AF993",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "1B74B912-152D-4F38-9FC1-741D6D0B27FC",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "06E586B3-3434-4B08-8BE3-16C528642CA5",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:google_guava_mapviewer:12.2.0.1:*:*:*:*:*:*:*",
                    "matchCriteriaId": "0CCA59D2-2853-44F3-9C5C-CC59B49A6B69",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:google_guava_mapviewer:18c:*:*:*:*:*:*:*",
                    "matchCriteriaId": "779EB0EC-2905-48BC-B375-E6E78B26A169",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:google_guava_mapviewer:19c:*:*:*:*:*:*:*",
                    "matchCriteriaId": "E19C4DBE-2889-4C13-A0E9-30D0CD1BF714",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*",
                    "matchCriteriaId": "DED59B62-C9BF-4C0E-B351-3884E8441655",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "B2A0A4A6-70D3-418B-80EA-04718C50C500",
                    "versionEndIncluding": "9.2.5.3",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "08FA59A8-6A62-4B33-8952-D6E658F8DAC9",
                    "versionEndIncluding": "17.12",
                    "versionStartIncluding": "17.7",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*",
                    "matchCriteriaId": "D55A54FD-7DD1-49CD-BE81-0BE73990943C",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*",
                    "matchCriteriaId": "82EB08C0-2D46-4635-88DF-E54F6452D3A3",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*",
                    "matchCriteriaId": "202AD518-2E9B-4062-B063-9858AE1F9CE2",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*",
                    "matchCriteriaId": "F0735989-13BD-40B3-B954-AC0529C5B53D",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*",
                    "matchCriteriaId": "58405263-E84C-4071-BB23-165D49034A00",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "42064F46-3012-4FB1-89BA-F13C2E4CBB6B",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "F73E2EFA-0F43-4D92-8C7D-9E66811B76D6",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "EE8CF045-09BB-4069-BCEC-496D5AE3B780",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "38E74E68-7F19-4EF3-AC00-3C249EAAA39E",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "0783F0D1-8FAC-4BCA-A6F5-C5C60E86D56D",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:retail_order_broker:19.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "BFB0BB58-04D3-409D-AECC-9633782F0E75",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*",
                    "matchCriteriaId": "E13DF2AE-F315-4085-9172-6C8B21AF1C9E",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*",
                    "matchCriteriaId": "BDB925C6-2CBC-4D88-B9EA-F246F4F7A206",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "11DA6839-849D-4CEF-85F3-38FE75E07183",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "BCE78490-A4BE-40BD-8C72-0A4526BBD4A4",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "55AE3629-4A66-49E4-A33D-6D81CC94962F",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "4CB39A1A-AD29-45DD-9EB5-5E2053A01B9A",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "27C26705-6D1F-4D5E-B64D-B479108154FF",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:12.2.0.1:*:*:*:*:*:*:*",
                    "matchCriteriaId": "7E75624C-68FA-465C-86B3-BCFB649C4782",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:18c:*:*:*:*:*:*:*",
                    "matchCriteriaId": "6B7DF2FA-F290-40F7-ABD1-AB50EEBC83B5",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:terracotta_quartz_scheduler_mapviewer:19c:*:*:*:*:*:*:*",
                    "matchCriteriaId": "E4D4E5C1-D4A6-464D-9DF3-A9DDD1912FBB",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "D551CAB1-4312-44AA-BDA8-A030817E153A",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "174A6D2E-E42E-4C92-A194-C6A820CD7EF4",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:apache:tomee:7.1.3:*:*:*:*:*:*:*",
                    "matchCriteriaId": "E74771B8-99DA-434F-ADCF-258838674E18",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
                    "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
                    "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
                    "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*",
                    "matchCriteriaId": "F0F202E8-97E6-4BBB-A0B6-4CA3F5803C08",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.0:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "E70C8416-E4F6-44BC-BDF9-BB1BAE7E185F",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.0:*:*:*:server:*:*:*",
                    "matchCriteriaId": "1363F683-E350-4639-A973-A82BDD83A3A1",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.1:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "7BAB5016-8439-4E01-8911-8B472EF38E13",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.1:*:*:*:server:*:*:*",
                    "matchCriteriaId": "F8EF8DCE-7266-49B1-AE2E-96079A2AD6E7",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.2:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "029B8E7F-65EF-4984-A27B-8198D8EB18DB",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.2:*:*:*:server:*:*:*",
                    "matchCriteriaId": "55C7B96B-2A2F-47F9-BBBD-0E25F8AF8F02",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.3:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "160B6A9E-41DC-4999-B3CC-A16B3A16D2A4",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.3:*:*:*:server:*:*:*",
                    "matchCriteriaId": "FC59154D-036C-4F22-B5F1-891527A3EC6B",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.4:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "6AD2CA00-9D6C-4DAC-90E6-BE1D93555C11",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.4:*:*:*:server:*:*:*",
                    "matchCriteriaId": "2FDF2DF4-B0EE-4179-AF98-B21EBB2E1D6F",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.5:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "AF85E227-F167-4CCB-A039-D96CC080B032",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.5:*:*:*:server:*:*:*",
                    "matchCriteriaId": "EDA3B2B5-C9EA-4D26-AEF4-F86792FB9ADC",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.6:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "93DDAE6E-DB31-429A-B4EB-955E080A4545",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.6:*:*:*:server:*:*:*",
                    "matchCriteriaId": "DF994E6C-6262-4230-BBC6-E464EBC1B0F9",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.7:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "25DA87CA-362C-4558-AA42-265DA1F8C26D",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.7:*:*:*:server:*:*:*",
                    "matchCriteriaId": "EF410408-CD38-408A-97C4-1103EF8AF68D",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.8:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "037D6CB0-959B-468E-87DD-8B1110A14ED0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.8:*:*:*:server:*:*:*",
                    "matchCriteriaId": "1B885DB6-2DEA-4EB4-97BC-2BF30BC45544",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.9:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "C83E3571-CD54-40A2-AAC0-20F67954642B",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.9:*:*:*:server:*:*:*",
                    "matchCriteriaId": "B69320FF-4E93-475C-B995-85CF1A03DBDA",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.10:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "FD430022-C74D-4340-88F9-21AB69485966",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.10:*:*:*:server:*:*:*",
                    "matchCriteriaId": "549E2860-25D9-468C-891D-AD9BEADA08B3",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.11:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "5C03D422-521C-48B2-B293-247232D1ED3C",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.11:*:*:*:server:*:*:*",
                    "matchCriteriaId": "2B0DBCC1-2D1F-4DB3-A693-DA0FA18B9A5E",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.12:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "34515441-AE13-4492-A08E-6521D840F689",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.12:*:*:*:server:*:*:*",
                    "matchCriteriaId": "6FABE527-FED5-4BA3-ABF0-C89AD1228ED2",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.13:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "6BE5E85B-7725-4DB9-8357-9097F777705D",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.13:*:*:*:server:*:*:*",
                    "matchCriteriaId": "910A2B29-3502-499B-892F-F6AD473CA6F6",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.14:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "2BAB1FDD-C213-48CB-B28B-802F0D1278A7",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.14:*:*:*:server:*:*:*",
                    "matchCriteriaId": "59D09ED0-E31D-4C6B-A217-A3C58C209782",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.15:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "746CCD4F-5411-4249-8A71-A47AD598498A",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.15:*:*:*:server:*:*:*",
                    "matchCriteriaId": "A055705E-4F63-4EB9-BABC-8888041D1E1F",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.16:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "AFA32156-893E-44A7-9F18-73586F2E21AB",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.16:*:*:*:server:*:*:*",
                    "matchCriteriaId": "631D10DC-9F03-4BEE-98DD-0759746825A2",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.17:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "AFAC053F-3A53-4AD8-9393-49A837A38A8C",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.17:*:*:*:server:*:*:*",
                    "matchCriteriaId": "FE355EB5-A0C4-471C-8E47-1898746D89C6",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.18:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "CC230B1E-AA5E-4E76-92E5-41130C56DD34",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.18:*:*:*:server:*:*:*",
                    "matchCriteriaId": "B764FD56-DBFF-46EE-9108-CF88591DC7A2",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.19:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "3F369AD5-25DB-43E4-ADB5-22A774FC6F91",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.19:*:*:*:server:*:*:*",
                    "matchCriteriaId": "454804E1-9C4C-41AA-ACB4-0150BB39669C",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.20:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "79A73328-B3BF-4682-9B60-12A4039F9D1E",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.20:*:*:*:server:*:*:*",
                    "matchCriteriaId": "2A75238E-A82C-4BE9-8300-2BE8B40C31CD",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.21:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "1E7B8908-7F72-495B-B562-81E789643A60",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.21:*:*:*:server:*:*:*",
                    "matchCriteriaId": "55A04426-7D52-4F90-9623-109F201223AC",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.22:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "2CC10DC7-1B0B-41E6-B903-DC7E59F68517",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.22:*:*:*:server:*:*:*",
                    "matchCriteriaId": "E7A19BC6-3F2B-4248-8255-BBA729F941C7",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.23:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "DC4936AD-0B95-4687-B0A8-290E76D3ED7C",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.23:*:*:*:server:*:*:*",
                    "matchCriteriaId": "33A3BC88-F6CC-4CDD-8842-2DC5C4706AC3",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.24:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "AE05DF9B-2F49-45E9-AB47-A5FA18B6847E",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.24:*:*:*:server:*:*:*",
                    "matchCriteriaId": "29F7D306-FC7F-4748-BC1D-6280654B8409",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.25:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "C82EA42D-1583-4B6D-840E-69B804BD2902",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.20.25:*:*:*:server:*:*:*",
                    "matchCriteriaId": "22D1EEB6-D4D1-46FC-BB60-CF33EE970E43",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.21.0:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "F1992CBB-135C-4CD7-8D9B-037EEE0530BA",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.21.0:*:*:*:server:*:*:*",
                    "matchCriteriaId": "D8232A74-B1DA-48DD-9DF1-4D04F6091BE3",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.21.1:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "F81B63AA-1086-448A-8D60-F5CF41BB1226",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.21.1:*:*:*:server:*:*:*",
                    "matchCriteriaId": "2B8BBC24-532A-46AB-9D7D-241C43082E95",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.0:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "F629DC1E-E044-4D84-8D60-B4E6C139EE98",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.0:*:*:*:server:*:*:*",
                    "matchCriteriaId": "4BDBC59C-C5C7-4848-8CCA-D4DF0354BFCA",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.1:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "D2E75D91-EC8E-4BAC-B989-403120F84BAC",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.1:*:*:*:server:*:*:*",
                    "matchCriteriaId": "FEA2A29A-D2AA-4688-888D-02923EEBFF4A",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.2:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "93EEA37B-7E96-455D-9131-2CDB77889080",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.2:*:*:*:server:*:*:*",
                    "matchCriteriaId": "71D2DC08-B93D-474B-9332-793A47E0A792",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.3:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "9263586C-D6A5-48F4-8F36-F672377AAFAD",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.3:*:*:*:server:*:*:*",
                    "matchCriteriaId": "01F142BF-C557-4D27-A263-0A77D3FBAA27",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.4:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "BC250698-AA6D-46FC-923D-9A3EB0742697",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.4:*:*:*:server:*:*:*",
                    "matchCriteriaId": "755B605C-E032-435B-90C3-FEB1EEBD43E7",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.6:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "728DE946-60C8-433A-807B-45720C668B37",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:4.22.6:*:*:*:server:*:*:*",
                    "matchCriteriaId": "F24C4029-A2D5-4B95-AE2B-10B035B28420",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.0.0:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "52672DE1-9B0D-4689-93AD-FF4B8A59E5EC",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.0.0:*:*:*:server:*:*:*",
                    "matchCriteriaId": "D802B4FE-F56F-46C4-A84B-EB89931EC16E",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.1.0:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "17E30F04-14EF-4F4D-8124-D0DD04E9EDF9",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.1.0:*:*:*:server:*:*:*",
                    "matchCriteriaId": "538503C1-F947-4BCF-836F-A609A601E064",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.1.1:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "07105957-FEBE-4E02-88FB-A8DDAE67E8A9",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.1.1:*:*:*:server:*:*:*",
                    "matchCriteriaId": "E40B10B9-F8C3-4279-A9AC-2E25AEF46D7A",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.2.0:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "C7D685CD-9CAD-42B5-B721-26203854F396",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.2.0:*:*:*:server:*:*:*",
                    "matchCriteriaId": "269B2F72-56A3-4750-8665-7DE03DAE3DAA",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.2.1:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "C600291E-2EDC-4F61-9FC1-C2C34C20EA4C",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.2.1:*:*:*:server:*:*:*",
                    "matchCriteriaId": "C8D33E70-8A27-46A2-BB14-87181F8DA0F3",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.3.0:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "F09CAEB7-4C1F-4B5B-9921-6DD06FF9EB9D",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.3.0:*:*:*:server:*:*:*",
                    "matchCriteriaId": "7E9F4E2A-E450-496C-B3E8-B0817BAD8817",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.3.1:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "964CB4B7-1502-4E92-B7D2-D864C13E338B",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.3.1:*:*:*:server:*:*:*",
                    "matchCriteriaId": "A9EFBC53-7C0B-408E-A745-0C83E9E38DAD",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.3.2:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "18A70517-84A8-4866-9FE8-06D0608391E4",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.3.2:*:*:*:server:*:*:*",
                    "matchCriteriaId": "E504A879-B312-4E8F-ADF9-8C1623B023AE",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.3.3:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "9EE1449F-6F38-4677-9DB9-AF2D9A7C2AE2",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.3.3:*:*:*:server:*:*:*",
                    "matchCriteriaId": "2BC5B994-25C4-4C00-8871-F3664878C83B",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.0:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "4484C6ED-659F-47F5-BFE2-7E9794FA51C3",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.0:*:*:*:server:*:*:*",
                    "matchCriteriaId": "F4449121-125E-49D9-BF3E-2A6EA169B796",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.1:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "C940817F-B265-4F42-AE19-DA2B49AC1D53",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.1:*:*:*:server:*:*:*",
                    "matchCriteriaId": "099869F1-BC95-4828-A0F5-9BBADDC3F6F3",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.2:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "601B5811-B1B8-4FF0-984B-62F07366615A",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.2:*:*:*:server:*:*:*",
                    "matchCriteriaId": "0D82DFCD-964E-406E-8329-E31A76FCFC64",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.3:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "ED8B7E12-9139-4BCB-9A5A-C8B23A6F8628",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.3:*:*:*:server:*:*:*",
                    "matchCriteriaId": "08F237B7-4C22-4A35-BC82-6B6E892B7EB3",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.4:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "0EC83F47-180C-481B-88A8-0E3C6654774C",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.4:*:*:*:server:*:*:*",
                    "matchCriteriaId": "2A3EA15F-DEBB-44A2-8CEA-B137AE8089CA",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.5:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "428B70AC-35A2-4D4F-9670-43B601426DD3",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.5:*:*:*:server:*:*:*",
                    "matchCriteriaId": "6314E670-88E8-4B09-9AF4-95E669A68A5A",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.6:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "4486E929-E1A8-4731-BE7E-A8BCCE594ADA",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.6:*:*:*:server:*:*:*",
                    "matchCriteriaId": "D24437F8-2B3A-4A0D-8C6C-A8B9E90457DB",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.7:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "06843035-CE98-48C8-BCB1-02976D233077",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.7:*:*:*:server:*:*:*",
                    "matchCriteriaId": "B98060AC-32A2-4F5A-A490-3E23F883D5A7",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.8:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "9681965F-AD13-420C-8845-A544520042DF",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.8:*:*:*:server:*:*:*",
                    "matchCriteriaId": "C9D2A5F2-F91C-4DA3-9EB6-441D17A6AB9F",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.9:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "6F3F93E1-8BB2-40BD-B4A9-D4136B742F82",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.4.9:*:*:*:server:*:*:*",
                    "matchCriteriaId": "549B3ADB-BAEF-4E45-856C-4B07F9FBB12A",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.5.1:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "941AD6CA-3F4E-43E5-AA68-95AB7C84F297",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.5.1:*:*:*:server:*:*:*",
                    "matchCriteriaId": "4630E46A-817F-4238-989F-93C633A10058",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.6.0:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "25D8E4A5-2AB6-42D4-B6D4-54484149BE75",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.6.0:*:*:*:server:*:*:*",
                    "matchCriteriaId": "9BA9FF1F-8F8C-47DD-9E7B-8B48FB453A83",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.7.0:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "D28343BD-5440-425E-AFEB-FC79EFB3C531",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.7.0:*:*:*:server:*:*:*",
                    "matchCriteriaId": "F29E98F7-4768-48C8-9D1C-448006DF0FFE",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.7.1:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "E8B3B4C6-4E76-4184-BE92-A6EF2B4CB8D2",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.7.1:*:*:*:server:*:*:*",
                    "matchCriteriaId": "1320F61E-A562-438E-A19D-90C816920B63",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.8.0:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "35D28C45-8C74-4131-A2C5-1F1CE009BDED",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.8.0:*:*:*:server:*:*:*",
                    "matchCriteriaId": "64D7B52D-46CA-4769-9631-9E3E45927003",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.8.1:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "027F98AD-B508-4079-A1BD-EFDBDBA78331",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.8.1:*:*:*:server:*:*:*",
                    "matchCriteriaId": "D80A8C83-C8B1-4ADF-B45B-550E6BA45AEF",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.9.0:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "54EB831D-3D4C-4807-AF42-DFF7D9176773",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.9.0:*:*:*:server:*:*:*",
                    "matchCriteriaId": "031A34D6-C522-4301-BE02-83D3BADC8C7E",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.10.0:*:*:*:data_center:*:*:*",
                    "matchCriteriaId": "109D37D3-3FC7-4443-974A-7D668ABE97D9",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:atlassian:jira_service_management:5.10.0:*:*:*:server:*:*:*",
                    "matchCriteriaId": "30D20E35-0BAC-4D43-A619-10B6A4572CBB",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description."
          },
          {
            "lang": "es",
            "value": "La funci\u00f3n initDocumentParser en el archivo xml/XMLSchedulingDataProcessor.java en Quartz Scheduler de Terracotta hasta la versi\u00f3n 2.3.0, permite ataques de tipo XXE por medio de una descripci\u00f3n del trabajo."
          }
        ],
        "id": "CVE-2019-13990",
        "lastModified": "2023-12-22T16:35:35.523",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "HIGH",
              "cvssData": {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "availabilityImpact": "PARTIAL",
                "baseScore": 7.5,
                "confidentialityImpact": "PARTIAL",
                "integrityImpact": "PARTIAL",
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              },
              "exploitabilityScore": 10.0,
              "impactScore": 6.4,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": false
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 5.9,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2019-07-26T19:15:11.730",
        "references": [
          {
            "source": "cve@mitre.org",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Issue Tracking",
              "Third Party Advisory"
            ],
            "url": "https://github.com/quartz-scheduler/quartz/issues/467"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Issue Tracking"
            ],
            "url": "https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Issue Tracking"
            ],
            "url": "https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Issue Tracking"
            ],
            "url": "https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Patch"
            ],
            "url": "https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Patch"
            ],
            "url": "https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Issue Tracking"
            ],
            "url": "https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Issue Tracking"
            ],
            "url": "https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20221028-0002/"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          }
        ],
        "sourceIdentifier": "cve@mitre.org",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-611"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

RHSA-2020:3196

Vulnerability from csaf_redhat - Published: 2020-07-29 06:06 - Updated: 2026-05-14 22:25

Summary

Red Hat Security Advisory: Red Hat Decision Manager 7.8.0 Security Update

Severity

Important

Notes

Topic: An update is now available for Red Hat Decision Manager. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. This release of Red Hat Decision Manager 7.8.0 serves as an update to Red Hat Decision Manager 7.7.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * netty: HTTP request smuggling (CVE-2019-20444) * netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869) * netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238) * netty: HTTP/2: flood using empty frames results in excessive resource consumption (CVE-2019-9518) * netty: HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514) * netty: HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512) * netty: HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515) * netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445) * cxf-core: cxf: does not restrict the number of message attachments (CVE-2019-12406) * cxf-core: cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423) * cxf-core: cxf: reflected XSS in the services listing page (CVE-2019-17573) * jackson-databind: lacks certain net.sf.ehcache blocking (CVE-2019-20330) * jackson-databind: Lacks certain xbean-reflect/JNDI blocking (CVE-2020-8840) * jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672) * jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10673) * jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548) * jackson-databind: Serialization gadgets in commons-jelly:commons-jelly (CVE-2020-11620) * jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547) * jackson-databind: Serialization gadgets in javax.swing.JEditorPane (CVE-2020-10969) * jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider (CVE-2020-10968) * jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory (CVE-2020-11111) * jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider (CVE-2020-11112) * jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime (CVE-2020-11113) * jackson-databind: Serialization gadgets in org.springframework:spring-aop (CVE-2020-11619) * jackson-databind: Serialization gadgets in shaded-hikari-config (CVE-2020-9546) * jackson-databind: serialization in oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (CVE-2020-14060) * jackson-databind: serialization in weblogic/oracle-aqjms (CVE-2020-14061) * jackson-databind: serialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (CVE-2020-14062) * netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612) * quartz: libquartz: XXE attacks via job description (CVE-2019-13990) * keycloak: security issue on reset credential flow (CVE-2020-1718) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2019-9512

A flaw was found in HTTP/2. Using PING frames and queuing of response PING ACK frames, a flood attack could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Important

CVE-2019-9514

A flaw was found in HTTP/2. Using HEADER frames with invalid HTTP headers and queuing of response RST_STREAM frames, an attacker could cause a flood resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Important

CVE-2019-9515

A flaw was found in HTTP/2. Using SETTINGS frames and queuing of SETTINGS ACK frames, a flood could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Important

CVE-2019-9518

A flaw was found in HTTP/2. Using frames with an empty payload, a flood could occur that results in excessive CPU usage and starvation of other clients. The highest threat from this vulnerability is to system availability.

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Important

CVE-2019-12406

Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2019-12423

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter "rs.security.keystore.type" to "jwk". For this case all keys are returned in this file "as is", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. "oct" keys, which contain secret keys, are not returned at all.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-522 - Insufficiently Protected Credentials

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2019-13990

The Terracotta Quartz Scheduler is susceptible to an XML external entity attack (XXE) through a job description. This issue stems from inadequate handling of XML external entity (XXE) declarations in the initDocumentParser function within xml/XMLSchedulingDataProcessor.java. By enticing a victim to access a maliciously crafted job description (containing XML content), a remote attacker could exploit this vulnerability to execute an XXE attack on the targeted system.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-611 - Improper Restriction of XML External Entity Reference

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2019-16869

A flaw was found in Netty, where whitespace before the colon in HTTP headers is mishandled. This flaw allows an attacker to cause HTTP request smuggling.

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2019-17573

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2019-20330

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2019-20444

A HTTP smuggling flaw was found in HttpObjectDecoder.java in Netty in versions prior to version 4.1.44. HTTP headers with an invalid fold, in this case CRLF (carriage return, line feed) without being followed by SP (space) or HTAB (horizontal tab), result in situations where headers can be misread. Data integrity is the highest threat with this vulnerability.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2019-20445

A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a server, it could result in a viable HTTP smuggling vulnerability.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2020-1718

A flaw was found in the reset credential flow in Keycloak. This flaw allows an attacker to gain unauthorized access to the application.

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-287 - Improper Authentication

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Low

CVE-2020-7238

A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. This flaw allows HTTP Request Smuggling.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2020-8840

A flaw was found in FasterXML jackson-databind in versions 2.0.0 through 2.9.10.2. A "gadget" exploit is possible due to a lack of a Java object being blocking from being deserialized. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2020-9546

A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2020-9547

A flaw was found in jackson-databind 2.x. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2020-9548

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2020-10672

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-96 - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2020-10673

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-96 - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2020-10968

A flaw was found in jackson-databind 2.x prior to version 2.9.10.4. The interaction between serialization gadgets and typing is mishandled in the bus-proxy. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2020-10969

A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2020-11111

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2020-11112

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2020-11113

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-96 - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2020-11612

A flaw was found in Netty in the way it handles the amount of data it compresses and decompresses. The Compression/Decompression codecs should enforce memory allocation size limits to avoid an Out of Memory Error (OOME) or exhaustion of the memory pool.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2020-11619

A flaw was found in jackson-databind 2.x. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2020-11620

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2020-14060

A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.5. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2020-14061

A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.5. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2020-14062

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Decision Manager 7 Red Hat / Red Hat Decision Manager	`cpe:/a:redhat:jboss_enterprise_brms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

References

170 references

URL	Category
https://access.redhat.com/errata/RHSA-2020:3196	self
https://access.redhat.com/security/updates/classi…	external
https://access.redhat.com/jbossnetwork/restricted…	external
https://access.redhat.com/documentation/en-us/red…	external
https://bugzilla.redhat.com/show_bug.cgi?id=1735645	external
https://bugzilla.redhat.com/show_bug.cgi?id=1735744	external
https://bugzilla.redhat.com/show_bug.cgi?id=1735745	external
https://bugzilla.redhat.com/show_bug.cgi?id=1735749	external
https://bugzilla.redhat.com/show_bug.cgi?id=1758619	external
https://bugzilla.redhat.com/show_bug.cgi?id=1793154	external
https://bugzilla.redhat.com/show_bug.cgi?id=1796225	external
https://bugzilla.redhat.com/show_bug.cgi?id=1796756	external
https://bugzilla.redhat.com/show_bug.cgi?id=1797006	external
https://bugzilla.redhat.com/show_bug.cgi?id=1797011	external
https://bugzilla.redhat.com/show_bug.cgi?id=1798509	external
https://bugzilla.redhat.com/show_bug.cgi?id=1798524	external
https://bugzilla.redhat.com/show_bug.cgi?id=1801149	external
https://bugzilla.redhat.com/show_bug.cgi?id=1815470	external
https://bugzilla.redhat.com/show_bug.cgi?id=1815495	external
https://bugzilla.redhat.com/show_bug.cgi?id=1816170	external
https://bugzilla.redhat.com/show_bug.cgi?id=1816216	external
https://bugzilla.redhat.com/show_bug.cgi?id=1816330	external
https://bugzilla.redhat.com/show_bug.cgi?id=1816332	external
https://bugzilla.redhat.com/show_bug.cgi?id=1816337	external
https://bugzilla.redhat.com/show_bug.cgi?id=1816340	external
https://bugzilla.redhat.com/show_bug.cgi?id=1819208	external
https://bugzilla.redhat.com/show_bug.cgi?id=1819212	external
https://bugzilla.redhat.com/show_bug.cgi?id=1821304	external
https://bugzilla.redhat.com/show_bug.cgi?id=1821311	external
https://bugzilla.redhat.com/show_bug.cgi?id=1821315	external
https://bugzilla.redhat.com/show_bug.cgi?id=1826798	external
https://bugzilla.redhat.com/show_bug.cgi?id=1826805	external
https://bugzilla.redhat.com/show_bug.cgi?id=1848960	external
https://bugzilla.redhat.com/show_bug.cgi?id=1848962	external
https://bugzilla.redhat.com/show_bug.cgi?id=1848966	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2019-9512	self
https://bugzilla.redhat.com/show_bug.cgi?id=1735645	external
https://www.cve.org/CVERecord?id=CVE-2019-9512	external
https://nvd.nist.gov/vuln/detail/CVE-2019-9512	external
https://github.com/Netflix/security-bulletins/blo…	external
https://groups.google.com/forum/#!topic/golang-an…	external
https://groups.google.com/forum/#!topic/kubernete…	external
https://nodejs.org/en/blog/vulnerability/aug-2019…	external
https://www.mail-archive.com/grpc-io@googlegroups…	external
https://access.redhat.com/security/cve/CVE-2019-9514	self
https://bugzilla.redhat.com/show_bug.cgi?id=1735744	external
https://www.cve.org/CVERecord?id=CVE-2019-9514	external
https://nvd.nist.gov/vuln/detail/CVE-2019-9514	external
https://access.redhat.com/security/cve/CVE-2019-9515	self
https://bugzilla.redhat.com/show_bug.cgi?id=1735745	external
https://www.cve.org/CVERecord?id=CVE-2019-9515	external
https://nvd.nist.gov/vuln/detail/CVE-2019-9515	external
https://access.redhat.com/security/cve/CVE-2019-9518	self
https://bugzilla.redhat.com/show_bug.cgi?id=1735749	external
https://www.cve.org/CVERecord?id=CVE-2019-9518	external
https://nvd.nist.gov/vuln/detail/CVE-2019-9518	external
https://access.redhat.com/security/cve/CVE-2019-12406	self
https://bugzilla.redhat.com/show_bug.cgi?id=1816170	external
https://www.cve.org/CVERecord?id=CVE-2019-12406	external
https://nvd.nist.gov/vuln/detail/CVE-2019-12406	external
https://access.redhat.com/security/cve/CVE-2019-12423	self
https://bugzilla.redhat.com/show_bug.cgi?id=1797006	external
https://www.cve.org/CVERecord?id=CVE-2019-12423	external
https://nvd.nist.gov/vuln/detail/CVE-2019-12423	external
https://access.redhat.com/security/cve/CVE-2019-13990	self
https://bugzilla.redhat.com/show_bug.cgi?id=1801149	external
https://www.cve.org/CVERecord?id=CVE-2019-13990	external
https://nvd.nist.gov/vuln/detail/CVE-2019-13990	external
https://access.redhat.com/security/cve/CVE-2019-16869	self
https://bugzilla.redhat.com/show_bug.cgi?id=1758619	external
https://www.cve.org/CVERecord?id=CVE-2019-16869	external
https://nvd.nist.gov/vuln/detail/CVE-2019-16869	external
https://access.redhat.com/security/cve/CVE-2019-17573	self
https://bugzilla.redhat.com/show_bug.cgi?id=1797011	external
https://www.cve.org/CVERecord?id=CVE-2019-17573	external
https://nvd.nist.gov/vuln/detail/CVE-2019-17573	external
https://access.redhat.com/security/cve/CVE-2019-20330	self
https://bugzilla.redhat.com/show_bug.cgi?id=1793154	external
https://www.cve.org/CVERecord?id=CVE-2019-20330	external
https://nvd.nist.gov/vuln/detail/CVE-2019-20330	external
https://access.redhat.com/security/cve/CVE-2019-20444	self
https://bugzilla.redhat.com/show_bug.cgi?id=1798524	external
https://www.cve.org/CVERecord?id=CVE-2019-20444	external
https://nvd.nist.gov/vuln/detail/CVE-2019-20444	external
https://github.com/elastic/elasticsearch/issues/49396	external
https://access.redhat.com/security/cve/CVE-2019-20445	self
https://bugzilla.redhat.com/show_bug.cgi?id=1798509	external
https://www.cve.org/CVERecord?id=CVE-2019-20445	external
https://nvd.nist.gov/vuln/detail/CVE-2019-20445	external
https://access.redhat.com/security/cve/CVE-2020-1718	self
https://bugzilla.redhat.com/show_bug.cgi?id=1796756	external
https://www.cve.org/CVERecord?id=CVE-2020-1718	external
https://nvd.nist.gov/vuln/detail/CVE-2020-1718	external
https://access.redhat.com/security/cve/CVE-2020-7238	self
https://bugzilla.redhat.com/show_bug.cgi?id=1796225	external
https://www.cve.org/CVERecord?id=CVE-2020-7238	external
https://nvd.nist.gov/vuln/detail/CVE-2020-7238	external
https://netty.io/news/2019/12/18/4-1-44-Final.html	external
https://access.redhat.com/security/cve/CVE-2020-8840	self
https://bugzilla.redhat.com/show_bug.cgi?id=1816330	external
https://www.cve.org/CVERecord?id=CVE-2020-8840	external
https://nvd.nist.gov/vuln/detail/CVE-2020-8840	external
https://access.redhat.com/security/cve/CVE-2020-9546	self
https://bugzilla.redhat.com/show_bug.cgi?id=1816332	external
https://www.cve.org/CVERecord?id=CVE-2020-9546	external
https://nvd.nist.gov/vuln/detail/CVE-2020-9546	external
https://access.redhat.com/security/cve/CVE-2020-9547	self
https://bugzilla.redhat.com/show_bug.cgi?id=1816337	external
https://www.cve.org/CVERecord?id=CVE-2020-9547	external
https://nvd.nist.gov/vuln/detail/CVE-2020-9547	external
https://access.redhat.com/security/cve/CVE-2020-9548	self
https://bugzilla.redhat.com/show_bug.cgi?id=1816340	external
https://www.cve.org/CVERecord?id=CVE-2020-9548	external
https://nvd.nist.gov/vuln/detail/CVE-2020-9548	external
https://access.redhat.com/security/cve/CVE-2020-10672	self
https://bugzilla.redhat.com/show_bug.cgi?id=1815495	external
https://www.cve.org/CVERecord?id=CVE-2020-10672	external
https://nvd.nist.gov/vuln/detail/CVE-2020-10672	external
https://access.redhat.com/security/cve/CVE-2020-10673	self
https://bugzilla.redhat.com/show_bug.cgi?id=1815470	external
https://www.cve.org/CVERecord?id=CVE-2020-10673	external
https://nvd.nist.gov/vuln/detail/CVE-2020-10673	external
https://access.redhat.com/security/cve/CVE-2020-10968	self
https://bugzilla.redhat.com/show_bug.cgi?id=1819208	external
https://www.cve.org/CVERecord?id=CVE-2020-10968	external
https://nvd.nist.gov/vuln/detail/CVE-2020-10968	external
https://access.redhat.com/security/cve/CVE-2020-10969	self
https://bugzilla.redhat.com/show_bug.cgi?id=1819212	external
https://www.cve.org/CVERecord?id=CVE-2020-10969	external
https://nvd.nist.gov/vuln/detail/CVE-2020-10969	external
https://access.redhat.com/security/cve/CVE-2020-11111	self
https://bugzilla.redhat.com/show_bug.cgi?id=1821304	external
https://www.cve.org/CVERecord?id=CVE-2020-11111	external
https://nvd.nist.gov/vuln/detail/CVE-2020-11111	external
https://github.com/FasterXML/jackson-databind/iss…	external
https://access.redhat.com/security/cve/CVE-2020-11112	self
https://bugzilla.redhat.com/show_bug.cgi?id=1821311	external
https://www.cve.org/CVERecord?id=CVE-2020-11112	external
https://nvd.nist.gov/vuln/detail/CVE-2020-11112	external
https://github.com/FasterXML/jackson-databind/iss…	external
https://access.redhat.com/security/cve/CVE-2020-11113	self
https://bugzilla.redhat.com/show_bug.cgi?id=1821315	external
https://www.cve.org/CVERecord?id=CVE-2020-11113	external
https://nvd.nist.gov/vuln/detail/CVE-2020-11113	external
https://github.com/FasterXML/jackson-databind/iss…	external
https://access.redhat.com/security/cve/CVE-2020-11612	self
https://bugzilla.redhat.com/show_bug.cgi?id=1816216	external
https://www.cve.org/CVERecord?id=CVE-2020-11612	external
https://nvd.nist.gov/vuln/detail/CVE-2020-11612	external
https://access.redhat.com/security/cve/CVE-2020-11619	self
https://bugzilla.redhat.com/show_bug.cgi?id=1826805	external
https://www.cve.org/CVERecord?id=CVE-2020-11619	external
https://nvd.nist.gov/vuln/detail/CVE-2020-11619	external
https://access.redhat.com/security/cve/CVE-2020-11620	self
https://bugzilla.redhat.com/show_bug.cgi?id=1826798	external
https://www.cve.org/CVERecord?id=CVE-2020-11620	external
https://nvd.nist.gov/vuln/detail/CVE-2020-11620	external
https://access.redhat.com/security/cve/CVE-2020-14060	self
https://bugzilla.redhat.com/show_bug.cgi?id=1848960	external
https://www.cve.org/CVERecord?id=CVE-2020-14060	external
https://nvd.nist.gov/vuln/detail/CVE-2020-14060	external
https://access.redhat.com/security/cve/CVE-2020-14061	self
https://bugzilla.redhat.com/show_bug.cgi?id=1848966	external
https://www.cve.org/CVERecord?id=CVE-2020-14061	external
https://nvd.nist.gov/vuln/detail/CVE-2020-14061	external
https://access.redhat.com/security/cve/CVE-2020-14062	self
https://bugzilla.redhat.com/show_bug.cgi?id=1848962	external
https://www.cve.org/CVERecord?id=CVE-2020-14062	external
https://nvd.nist.gov/vuln/detail/CVE-2020-14062	external

Acknowledgments

the Envoy security team

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat Decision Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model \u0026 Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. \n\nThis release of Red Hat Decision Manager 7.8.0 serves as an update to Red Hat Decision Manager 7.7.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* netty: HTTP request smuggling (CVE-2019-20444)\n\n* netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)\n\n* netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)\n\n* netty: HTTP/2: flood using empty frames results in excessive resource consumption (CVE-2019-9518)\n\n* netty: HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514)\n\n* netty: HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)\n\n* netty: HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515)\n\n* netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445)\n\n* cxf-core: cxf: does not restrict the number of message attachments (CVE-2019-12406)\n\n* cxf-core: cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)\n\n* cxf-core: cxf: reflected XSS in the services listing page (CVE-2019-17573)\n\n* jackson-databind: lacks certain net.sf.ehcache blocking (CVE-2019-20330)\n\n* jackson-databind: Lacks certain xbean-reflect/JNDI blocking (CVE-2020-8840)\n\n* jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672)\n\n* jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10673)\n\n* jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548)\n\n* jackson-databind: Serialization gadgets in commons-jelly:commons-jelly (CVE-2020-11620)\n\n* jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)\n\n* jackson-databind: Serialization gadgets in javax.swing.JEditorPane (CVE-2020-10969)\n\n* jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider (CVE-2020-10968)\n\n* jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory (CVE-2020-11111)\n\n* jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider (CVE-2020-11112)\n\n* jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime (CVE-2020-11113)\n\n* jackson-databind: Serialization gadgets in org.springframework:spring-aop (CVE-2020-11619)\n\n* jackson-databind: Serialization gadgets in shaded-hikari-config (CVE-2020-9546)\n\n* jackson-databind: serialization in oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (CVE-2020-14060)\n\n* jackson-databind: serialization in weblogic/oracle-aqjms (CVE-2020-14061)\n\n* jackson-databind: serialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (CVE-2020-14062)\n\n* netty: compression/decompression codecs don\u0027t enforce limits on buffer allocation sizes (CVE-2020-11612)\n\n* quartz: libquartz: XXE attacks via job description (CVE-2019-13990)\n\n* keycloak: security issue on reset credential flow (CVE-2020-1718)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2020:3196",
        "url": "https://access.redhat.com/errata/RHSA-2020:3196"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=rhdm\u0026version=7.8.0",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=rhdm\u0026version=7.8.0"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_decision_manager/7.8/html/release_notes_for_red_hat_decision_manager_7.8/index",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_decision_manager/7.8/html/release_notes_for_red_hat_decision_manager_7.8/index"
      },
      {
        "category": "external",
        "summary": "1735645",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735645"
      },
      {
        "category": "external",
        "summary": "1735744",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735744"
      },
      {
        "category": "external",
        "summary": "1735745",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735745"
      },
      {
        "category": "external",
        "summary": "1735749",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735749"
      },
      {
        "category": "external",
        "summary": "1758619",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758619"
      },
      {
        "category": "external",
        "summary": "1793154",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793154"
      },
      {
        "category": "external",
        "summary": "1796225",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796225"
      },
      {
        "category": "external",
        "summary": "1796756",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796756"
      },
      {
        "category": "external",
        "summary": "1797006",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1797006"
      },
      {
        "category": "external",
        "summary": "1797011",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1797011"
      },
      {
        "category": "external",
        "summary": "1798509",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798509"
      },
      {
        "category": "external",
        "summary": "1798524",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798524"
      },
      {
        "category": "external",
        "summary": "1801149",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1801149"
      },
      {
        "category": "external",
        "summary": "1815470",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815470"
      },
      {
        "category": "external",
        "summary": "1815495",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815495"
      },
      {
        "category": "external",
        "summary": "1816170",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816170"
      },
      {
        "category": "external",
        "summary": "1816216",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816216"
      },
      {
        "category": "external",
        "summary": "1816330",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816330"
      },
      {
        "category": "external",
        "summary": "1816332",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816332"
      },
      {
        "category": "external",
        "summary": "1816337",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816337"
      },
      {
        "category": "external",
        "summary": "1816340",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816340"
      },
      {
        "category": "external",
        "summary": "1819208",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1819208"
      },
      {
        "category": "external",
        "summary": "1819212",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1819212"
      },
      {
        "category": "external",
        "summary": "1821304",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1821304"
      },
      {
        "category": "external",
        "summary": "1821311",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1821311"
      },
      {
        "category": "external",
        "summary": "1821315",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1821315"
      },
      {
        "category": "external",
        "summary": "1826798",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1826798"
      },
      {
        "category": "external",
        "summary": "1826805",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1826805"
      },
      {
        "category": "external",
        "summary": "1848960",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848960"
      },
      {
        "category": "external",
        "summary": "1848962",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848962"
      },
      {
        "category": "external",
        "summary": "1848966",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848966"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_3196.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Decision Manager 7.8.0 Security Update",
    "tracking": {
      "current_release_date": "2026-05-14T22:25:17+00:00",
      "generator": {
        "date": "2026-05-14T22:25:17+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.0"
        }
      },
      "id": "RHSA-2020:3196",
      "initial_release_date": "2020-07-29T06:06:57+00:00",
      "revision_history": [
        {
          "date": "2020-07-29T06:06:57+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2020-07-29T06:06:57+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-14T22:25:17+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Decision Manager 7",
                "product": {
                  "name": "Red Hat Decision Manager 7",
                  "product_id": "Red Hat Decision Manager 7",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7.8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Decision Manager"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "the Envoy security team"
          ]
        }
      ],
      "cve": "CVE-2019-9512",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2019-08-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1735645"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in HTTP/2. Using PING frames and queuing of response PING ACK frames, a flood attack could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "HTTP/2: flood using PING frames results in unbounded memory growth",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.\nThis issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.\nThe following storage product versions are affected because they include the support for HTTP/2 in:\n* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3\n* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3\n* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3\nThis flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.\n\nAll OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-9512"
        },
        {
          "category": "external",
          "summary": "RHBZ#1735645",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735645"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9512",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-9512"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9512",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9512"
        },
        {
          "category": "external",
          "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
          "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg",
          "url": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA",
          "url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA"
        },
        {
          "category": "external",
          "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/",
          "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/"
        },
        {
          "category": "external",
          "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html",
          "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html"
        }
      ],
      "release_date": "2019-08-13T17:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "HTTP/2: flood using PING frames results in unbounded memory growth"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "the Envoy security team"
          ]
        }
      ],
      "cve": "CVE-2019-9514",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2019-08-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1735744"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in HTTP/2. Using HEADER frames with invalid HTTP headers and queuing of response RST_STREAM frames, an attacker could cause a flood resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "HTTP/2: flood using HEADERS frames results in unbounded memory growth",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.\nThis issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.\nThe following storage product versions are affected because they include the support for HTTP/2 in:\n* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3\n* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3\n* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3\nThis flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.\n\nAll OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-9514"
        },
        {
          "category": "external",
          "summary": "RHBZ#1735744",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735744"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9514",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-9514"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9514",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9514"
        },
        {
          "category": "external",
          "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
          "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg",
          "url": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA",
          "url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA"
        },
        {
          "category": "external",
          "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/",
          "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/"
        },
        {
          "category": "external",
          "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html",
          "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html"
        }
      ],
      "release_date": "2019-08-13T17:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "HTTP/2: flood using HEADERS frames results in unbounded memory growth"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "the Envoy security team"
          ]
        }
      ],
      "cve": "CVE-2019-9515",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2019-08-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1735745"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in HTTP/2. Using SETTINGS frames and queuing of SETTINGS ACK frames, a flood could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "HTTP/2: flood using SETTINGS frames results in unbounded memory growth",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affects the version of grafana(embeds gRPC) as shipped with Red Hat Ceph Storage 3 as it include the support for HTTP/2.\nThis flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-9515"
        },
        {
          "category": "external",
          "summary": "RHBZ#1735745",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735745"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9515",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-9515"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9515",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9515"
        },
        {
          "category": "external",
          "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
          "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
        },
        {
          "category": "external",
          "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/",
          "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/"
        },
        {
          "category": "external",
          "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html",
          "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html"
        }
      ],
      "release_date": "2019-08-13T17:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "HTTP/2: flood using SETTINGS frames results in unbounded memory growth"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "the Envoy security team"
          ]
        }
      ],
      "cve": "CVE-2019-9518",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2019-08-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1735749"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in HTTP/2. Using frames with an empty payload, a flood could occur that results in excessive CPU usage and starvation of other clients. The highest threat from this vulnerability is to system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "HTTP/2: flood using empty frames results in excessive resource consumption",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-9518"
        },
        {
          "category": "external",
          "summary": "RHBZ#1735749",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735749"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9518",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-9518"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9518",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9518"
        },
        {
          "category": "external",
          "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
          "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
        },
        {
          "category": "external",
          "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/",
          "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/"
        }
      ],
      "release_date": "2019-08-13T17:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "HTTP/2: flood using empty frames results in excessive resource consumption"
    },
    {
      "cve": "CVE-2019-12406",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2020-03-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1816170"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property \"attachment-max-count\".",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "cxf: does not restrict the number of message attachments",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-12406"
        },
        {
          "category": "external",
          "summary": "RHBZ#1816170",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816170"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-12406",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-12406"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-12406",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12406"
        }
      ],
      "release_date": "2019-11-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "cxf: does not restrict the number of message attachments"
    },
    {
      "cve": "CVE-2019-12423",
      "cwe": {
        "id": "CWE-522",
        "name": "Insufficiently Protected Credentials"
      },
      "discovery_date": "2020-01-31T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1797006"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter \"rs.security.keystore.type\" to \"jwk\". For this case all keys are returned in this file \"as is\", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. \"oct\" keys, which contain secret keys, are not returned at all.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "cxf: OpenId Connect token service does not properly validate the clientId",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-12423"
        },
        {
          "category": "external",
          "summary": "RHBZ#1797006",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1797006"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-12423",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-12423"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-12423",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12423"
        }
      ],
      "release_date": "2020-01-16T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "cxf: OpenId Connect token service does not properly validate the clientId"
    },
    {
      "cve": "CVE-2019-13990",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2019-07-27T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1801149"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The Terracotta Quartz Scheduler is susceptible to an XML external entity attack (XXE) through a job description. This issue stems from inadequate handling of XML external entity (XXE) declarations in the initDocumentParser function within xml/XMLSchedulingDataProcessor.java. By enticing a victim to access a maliciously crafted job description (containing XML content), a remote attacker could exploit this vulnerability to execute an XXE attack on the targeted system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "libquartz: XXE attacks via job description",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Satellite 6 uses a vulnerable version of libquartz as a dependency for Candlepin. However, the \u003cjob\u003e\u003cdescrition\u003e entry is not used, and the vulnerability can not be triggered. An update may fix the code in the future.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-13990"
        },
        {
          "category": "external",
          "summary": "RHBZ#1801149",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1801149"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-13990",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-13990"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-13990",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13990"
        }
      ],
      "release_date": "2019-07-26T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "libquartz: XXE attacks via job description"
    },
    {
      "cve": "CVE-2019-16869",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2019-09-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1758619"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty, where whitespace before the colon in HTTP headers is mishandled. This flaw allows an attacker to cause HTTP request smuggling.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that this vulnerability does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit these vulnerabilities on OpenShift Container Platform, so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships vulnerable netty version embedded in Candlepin, however, is not directly vulnerable since HTTP requests are handled by Tomcat and not netty.\n\n[1]  https://github.com/elastic/elasticsearch/issues/49396",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-16869"
        },
        {
          "category": "external",
          "summary": "RHBZ#1758619",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758619"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-16869",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-16869"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-16869",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16869"
        }
      ],
      "release_date": "2019-09-26T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        },
        {
          "category": "workaround",
          "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers"
    },
    {
      "cve": "CVE-2019-17573",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2020-01-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1797011"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "cxf: reflected XSS in the services listing page",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-17573"
        },
        {
          "category": "external",
          "summary": "RHBZ#1797011",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1797011"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17573",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-17573"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17573",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17573"
        }
      ],
      "release_date": "2020-01-16T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        },
        {
          "category": "workaround",
          "details": "Mitigate this flaw by disabling the service listing altogether; via setting the \"hide-service-list-page\" servlet parameter to \"true\".",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "cxf: reflected XSS in the services listing page"
    },
    {
      "cve": "CVE-2019-20330",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-01-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1793154"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: lacks certain net.sf.ehcache blocking",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-20330"
        },
        {
          "category": "external",
          "summary": "RHBZ#1793154",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793154"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20330",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-20330"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20330",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20330"
        }
      ],
      "release_date": "2020-01-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: lacks certain net.sf.ehcache blocking"
    },
    {
      "cve": "CVE-2019-20444",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2020-01-30T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1798524"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A HTTP smuggling flaw was found in HttpObjectDecoder.java in Netty in versions prior to version 4.1.44. HTTP headers with an invalid fold, in this case CRLF (carriage return, line feed) without being followed by SP (space) or HTAB (horizontal tab), result in situations where headers can be misread. Data integrity is the highest threat with this vulnerability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: HTTP request smuggling",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not pose a substantial practical threat to ElasticSearch 6. We agree that these issues would be difficult to exploit on OpenShift Container Platform so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships a vulnerable version of netty embedded in Candlepin. However, the flaw can not be triggered in that context, because HTTP requests are handled by Tomcat, not by netty. A future release may fix this.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-20444"
        },
        {
          "category": "external",
          "summary": "RHBZ#1798524",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798524"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20444",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-20444"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444"
        },
        {
          "category": "external",
          "summary": "https://github.com/elastic/elasticsearch/issues/49396",
          "url": "https://github.com/elastic/elasticsearch/issues/49396"
        }
      ],
      "release_date": "2020-01-29T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        },
        {
          "category": "workaround",
          "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: HTTP request smuggling"
    },
    {
      "cve": "CVE-2019-20445",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2020-01-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1798509"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a server, it could result in a viable HTTP smuggling vulnerability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit both these vulnerabilities on OpenShift Container Platform, so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships a vulnerable version of netty embedded in Candlepin. However, the flaw can not be triggered in that context, because HTTP requests are handled by Tomcat, not by netty. A future release may fix this.\n\n[1]  https://github.com/elastic/elasticsearch/issues/49396",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-20445"
        },
        {
          "category": "external",
          "summary": "RHBZ#1798509",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798509"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20445",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-20445"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445"
        }
      ],
      "release_date": "2020-01-29T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        },
        {
          "category": "workaround",
          "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header"
    },
    {
      "cve": "CVE-2020-1718",
      "cwe": {
        "id": "CWE-287",
        "name": "Improper Authentication"
      },
      "discovery_date": "2020-01-31T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1796756"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the reset credential flow in Keycloak. This flaw allows an attacker to gain unauthorized access to the application.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "keycloak: security issue on reset credential flow",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-1718"
        },
        {
          "category": "external",
          "summary": "RHBZ#1796756",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796756"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1718",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-1718"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1718",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1718"
        }
      ],
      "release_date": "2020-05-12T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        },
        {
          "category": "workaround",
          "details": "Disable reset credential flow.",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "keycloak: security issue on reset credential flow"
    },
    {
      "cve": "CVE-2020-7238",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2020-01-27T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1796225"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. This flaw allows HTTP Request Smuggling.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit both these vulnerabilities on OpenShift Container Platform, so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships vulnerable netty version embedded in Candlepin, however, is not directly vulnerable since HTTP requests are handled by Tomcat and not netty.\n\n[1]  https://github.com/elastic/elasticsearch/issues/49396",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-7238"
        },
        {
          "category": "external",
          "summary": "RHBZ#1796225",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796225"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-7238",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-7238"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7238",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7238"
        },
        {
          "category": "external",
          "summary": "https://netty.io/news/2019/12/18/4-1-44-Final.html",
          "url": "https://netty.io/news/2019/12/18/4-1-44-Final.html"
        }
      ],
      "release_date": "2020-01-26T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        },
        {
          "category": "workaround",
          "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling"
    },
    {
      "cve": "CVE-2020-8840",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-03-02T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1816330"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in FasterXML jackson-databind in versions 2.0.0 through 2.9.10.2. A \"gadget\" exploit is possible due to a lack of a Java object being blocking from being deserialized. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Lacks certain xbean-reflect/JNDI blocking",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-8840"
        },
        {
          "category": "external",
          "summary": "RHBZ#1816330",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816330"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-8840",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-8840"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8840",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8840"
        }
      ],
      "release_date": "2020-03-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Lacks certain xbean-reflect/JNDI blocking"
    },
    {
      "cve": "CVE-2020-9546",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-03-02T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1816332"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in shaded-hikari-config",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-9546"
        },
        {
          "category": "external",
          "summary": "RHBZ#1816332",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816332"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9546",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-9546"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9546",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9546"
        }
      ],
      "release_date": "2020-03-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in shaded-hikari-config"
    },
    {
      "cve": "CVE-2020-9547",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-03-02T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1816337"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in ibatis-sqlmap",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-9547"
        },
        {
          "category": "external",
          "summary": "RHBZ#1816337",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816337"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9547",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-9547"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9547",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9547"
        }
      ],
      "release_date": "2020-03-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in ibatis-sqlmap"
    },
    {
      "cve": "CVE-2020-9548",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-03-02T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1816340"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in anteros-core",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-9548"
        },
        {
          "category": "external",
          "summary": "RHBZ#1816340",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816340"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9548",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-9548"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9548",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9548"
        }
      ],
      "release_date": "2020-03-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in anteros-core"
    },
    {
      "cve": "CVE-2020-10672",
      "cwe": {
        "id": "CWE-96",
        "name": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)"
      },
      "discovery_date": "2020-03-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1815495"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-10672"
        },
        {
          "category": "external",
          "summary": "RHBZ#1815495",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815495"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10672",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-10672"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10672",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10672"
        }
      ],
      "release_date": "2020-03-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution"
    },
    {
      "cve": "CVE-2020-10673",
      "cwe": {
        "id": "CWE-96",
        "name": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)"
      },
      "discovery_date": "2020-03-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1815470"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time. Additionally, the gadget is not available within Red Hat Openstack Platform\u0027s OpenDaylight.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-10673"
        },
        {
          "category": "external",
          "summary": "RHBZ#1815470",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815470"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10673",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-10673"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10673",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10673"
        }
      ],
      "release_date": "2020-03-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution"
    },
    {
      "cve": "CVE-2020-10968",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-03-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1819208"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x prior to version 2.9.10.4.  The interaction between serialization gadgets and typing is mishandled in the bus-proxy. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-10968"
        },
        {
          "category": "external",
          "summary": "RHBZ#1819208",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1819208"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10968",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-10968"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10968",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10968"
        }
      ],
      "release_date": "2020-03-22T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider"
    },
    {
      "cve": "CVE-2020-10969",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-03-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1819212"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in javax.swing.JEditorPane",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-10969"
        },
        {
          "category": "external",
          "summary": "RHBZ#1819212",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1819212"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10969",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-10969"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10969",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10969"
        }
      ],
      "release_date": "2020-03-03T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in javax.swing.JEditorPane"
    },
    {
      "cve": "CVE-2020-11111",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-03-31T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1821304"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-11111"
        },
        {
          "category": "external",
          "summary": "RHBZ#1821304",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1821304"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11111",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-11111"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11111",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11111"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-databind/issues/2664",
          "url": "https://github.com/FasterXML/jackson-databind/issues/2664"
        }
      ],
      "release_date": "2020-03-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory"
    },
    {
      "cve": "CVE-2020-11112",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-03-31T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1821311"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-11112"
        },
        {
          "category": "external",
          "summary": "RHBZ#1821311",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1821311"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11112",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-11112"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11112",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11112"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-databind/issues/2666",
          "url": "https://github.com/FasterXML/jackson-databind/issues/2666"
        }
      ],
      "release_date": "2020-03-25T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider"
    },
    {
      "cve": "CVE-2020-11113",
      "cwe": {
        "id": "CWE-96",
        "name": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)"
      },
      "discovery_date": "2020-03-31T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1821315"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-11113"
        },
        {
          "category": "external",
          "summary": "RHBZ#1821315",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1821315"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11113",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-11113"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11113",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11113"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-databind/issues/2670",
          "url": "https://github.com/FasterXML/jackson-databind/issues/2670"
        }
      ],
      "release_date": "2020-03-28T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime"
    },
    {
      "cve": "CVE-2020-11612",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2020-03-23T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1816216"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty in the way it handles the amount of data it compresses and decompresses. The Compression/Decompression codecs should enforce memory allocation size limits to avoid an Out of Memory Error (OOME) or exhaustion of the memory pool.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: compression/decompression codecs don\u0027t enforce limits on buffer allocation sizes",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "In OpenShift Container Platform end users don\u0027t have direct access to send requests to ElasticSearch. A user could need access to the ElasticSearch service on the internal cluster network in order to be able to send malicious requests to it.\n\n\nThird party scanners flagging Red Hat Satellite due to availability of the higher version packages in Red Hat AMQ Clients (through errata RHSA-2020:2605) compare to the qpid packages from Satellite Tools repository. qpid dependency fixed in errata RHSA-2020:2605 was for Red Hat AMQ Clients and it doesn\u0027t necessarily mean that packages from Satellite Tools are affected. These are two different products with different architecture and code-base. Updating the packages from any other repository than the Satellite-tools repository is not recommended for Satellite Customers. \n\nRed Hat Satellite 6.7 and earlier ship affected version of netty, however, there is no external connection being exposed and it is used by only Artemis to open an internal connection within the JVM. Since netty does not come into contact with untrusted data, vulnerability is not exposed in product code and there is no breach of Confidentiality, Integrity or Availability expected from this vulnerability. We may update the netty and its dependency in a future release.\n\nMore information regarding Satellite related packages can be found on KCS: https://access.redhat.com/solutions/5200591",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-11612"
        },
        {
          "category": "external",
          "summary": "RHBZ#1816216",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816216"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11612",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-11612"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11612",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11612"
        }
      ],
      "release_date": "2020-01-31T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "netty: compression/decompression codecs don\u0027t enforce limits on buffer allocation sizes"
    },
    {
      "cve": "CVE-2020-11619",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-04-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1826805"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in org.springframework:spring-aop",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-11619"
        },
        {
          "category": "external",
          "summary": "RHBZ#1826805",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1826805"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11619",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-11619"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11619",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11619"
        }
      ],
      "release_date": "2020-04-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in org.springframework:spring-aop"
    },
    {
      "cve": "CVE-2020-11620",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-04-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1826798"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in commons-jelly:commons-jelly",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-11620"
        },
        {
          "category": "external",
          "summary": "RHBZ#1826798",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1826798"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11620",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-11620"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11620",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11620"
        }
      ],
      "release_date": "2020-04-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in commons-jelly:commons-jelly"
    },
    {
      "cve": "CVE-2020-14060",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-06-15T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1848960"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.5. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: serialization in oadd.org.apache.xalan.lib.sql.JNDIConnectionPool",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 and Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.\n\nThe version of jackson-databind as shipped in Red Hat Software Collections rh-maven35 is used only while building maven, thus it does not deserialize data coming from untrusted sources, lowering the impact of the vulnerability for the Product.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-14060"
        },
        {
          "category": "external",
          "summary": "RHBZ#1848960",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848960"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14060",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-14060"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14060",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14060"
        }
      ],
      "release_date": "2020-05-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* enableDefaultTyping()\n* @JsonTypeInfo using id.CLASS or id.MINIMAL_CLASS\n* oadd.org.apache.xalan.lib.sql.JNDIConnectionPool in classpath",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: serialization in oadd.org.apache.xalan.lib.sql.JNDIConnectionPool"
    },
    {
      "cve": "CVE-2020-14061",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-06-15T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1848966"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.5. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: serialization in weblogic/oracle-aqjms",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 and Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.\n\nThe version of jackson-databind as shipped in Red Hat Software Collections rh-maven35 is used only while building maven, thus it does not deserialize data coming from untrusted sources, lowering the impact of the vulnerability for the Product.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-14061"
        },
        {
          "category": "external",
          "summary": "RHBZ#1848966",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848966"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14061",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-14061"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14061",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14061"
        }
      ],
      "release_date": "2020-05-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* enableDefaultTyping()\n* @JsonTypeInfo using id.CLASS or id.MINIMAL_CLASS\n* oracle.jms.AQjms*ConnectionFactory in classpath",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: serialization in weblogic/oracle-aqjms"
    },
    {
      "cve": "CVE-2020-14062",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-06-15T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1848962"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.5. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: serialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 and Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.\n\nThe version of jackson-databind as shipped in Red Hat Software Collections rh-maven35 is used only while building maven, thus it does not deserialize data coming from untrusted sources, lowering the impact of the vulnerability for the Product.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Decision Manager 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-14062"
        },
        {
          "category": "external",
          "summary": "RHBZ#1848962",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848962"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14062",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-14062"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14062",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14062"
        }
      ],
      "release_date": "2020-05-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:06:57+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3196"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* enableDefaultTyping()\n* @JsonTypeInfo using id.CLASS or id.MINIMAL_CLASS\n* com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool in classpath",
          "product_ids": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Decision Manager 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: serialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool"
    }
  ]
}

RHSA-2020:3197

Vulnerability from csaf_redhat - Published: 2020-07-29 06:21 - Updated: 2026-05-14 22:25

Summary

Red Hat Security Advisory: Red Hat Process Automation Manager 7.8.0 Security Update

Severity

Important

Notes

Topic: An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services. This release of Red Hat Process Automation Manager 7.8.0 serves as an update to Red Hat Process Automation Manager 7.7.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086) * netty: HTTP request smuggling (CVE-2019-20444) * netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869) * netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238) * netty: HTTP/2: flood using empty frames results in excessive resource consumption (CVE-2019-9518) * netty: HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514) * netty: HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512) * netty: HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515) * netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445) * cxf-core: cxf: does not restrict the number of message attachments (CVE-2019-12406) * cxf-core: cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423) * cxf-core: cxf: reflected XSS in the services listing page (CVE-2019-17573) * jackson-databind: lacks certain net.sf.ehcache blocking (CVE-2019-20330) * jackson-databind: Lacks certain xbean-reflect/JNDI blocking (CVE-2020-8840) * jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672) * jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10673) * jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548) * jackson-databind: Serialization gadgets in commons-jelly:commons-jelly (CVE-2020-11620) * jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547) * jackson-databind: Serialization gadgets in javax.swing.JEditorPane (CVE-2020-10969) * jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider (CVE-2020-10968) * jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory (CVE-2020-11111) * jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider (CVE-2020-11112) * jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime (CVE-2020-11113) * jackson-databind: Serialization gadgets in org.springframework:spring-aop (CVE-2020-11619) * jackson-databind: Serialization gadgets in shaded-hikari-config (CVE-2020-9546) * jackson-databind: serialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (CVE-2020-14062) * jackson-databind: serialization in weblogic/oracle-aqjms (CVE-2020-14061) * jackson-databind: serialization in oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (CVE-2020-14060) * netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612) * quartz: libquartz: XXE attacks via job description (CVE-2019-13990) * keycloak: security issue on reset credential flow (CVE-2020-1718) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-9512

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Important

CVE-2019-9514

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Important

CVE-2019-9515

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Important

CVE-2019-9518

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Important

CVE-2019-10086

A flaw was found in the Apache Commons BeanUtils, where the class property in PropertyUtilsBean is not suppressed by default. This flaw allows an attacker to access the classloader.

7.3 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2019-12406

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2019-12423

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-522 - Insufficiently Protected Credentials

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2019-13990

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-611 - Improper Restriction of XML External Entity Reference

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2019-16869

A flaw was found in Netty, where whitespace before the colon in HTTP headers is mishandled. This flaw allows an attacker to cause HTTP request smuggling.

7.5 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2019-17573

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2019-20330

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2019-20444

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2019-20445

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2020-1718

A flaw was found in the reset credential flow in Keycloak. This flaw allows an attacker to gain unauthorized access to the application.

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-287 - Improper Authentication

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Low

CVE-2020-7238

A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. This flaw allows HTTP Request Smuggling.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2020-8840

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2020-9546

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2020-9547

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2020-9548

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2020-10672

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-96 - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2020-10673

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-96 - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2020-10968

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2020-10969

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2020-11111

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2020-11112

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2020-11113

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-96 - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2020-11612

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2020-11619

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2020-11620

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2020-14060

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2020-14061

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2020-14062

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Fixed 1 product

Product	Identifier	Version	Remediation
Red Hat Process Automation 7 Red Hat / Red Hat Process Automation Manager	`cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8`	—	Vendor Fix fix Workaround

Threats

Impact Moderate

References

176 references

URL	Category
https://access.redhat.com/errata/RHSA-2020:3197	self
https://access.redhat.com/security/updates/classi…	external
https://access.redhat.com/jbossnetwork/restricted…	external
https://access.redhat.com/documentation/en-us/red…	external
https://bugzilla.redhat.com/show_bug.cgi?id=1735645	external
https://bugzilla.redhat.com/show_bug.cgi?id=1735744	external
https://bugzilla.redhat.com/show_bug.cgi?id=1735745	external
https://bugzilla.redhat.com/show_bug.cgi?id=1735749	external
https://bugzilla.redhat.com/show_bug.cgi?id=1758619	external
https://bugzilla.redhat.com/show_bug.cgi?id=1767483	external
https://bugzilla.redhat.com/show_bug.cgi?id=1793154	external
https://bugzilla.redhat.com/show_bug.cgi?id=1796225	external
https://bugzilla.redhat.com/show_bug.cgi?id=1796756	external
https://bugzilla.redhat.com/show_bug.cgi?id=1797006	external
https://bugzilla.redhat.com/show_bug.cgi?id=1797011	external
https://bugzilla.redhat.com/show_bug.cgi?id=1798509	external
https://bugzilla.redhat.com/show_bug.cgi?id=1798524	external
https://bugzilla.redhat.com/show_bug.cgi?id=1801149	external
https://bugzilla.redhat.com/show_bug.cgi?id=1815470	external
https://bugzilla.redhat.com/show_bug.cgi?id=1815495	external
https://bugzilla.redhat.com/show_bug.cgi?id=1816170	external
https://bugzilla.redhat.com/show_bug.cgi?id=1816216	external
https://bugzilla.redhat.com/show_bug.cgi?id=1816330	external
https://bugzilla.redhat.com/show_bug.cgi?id=1816332	external
https://bugzilla.redhat.com/show_bug.cgi?id=1816337	external
https://bugzilla.redhat.com/show_bug.cgi?id=1816340	external
https://bugzilla.redhat.com/show_bug.cgi?id=1819208	external
https://bugzilla.redhat.com/show_bug.cgi?id=1819212	external
https://bugzilla.redhat.com/show_bug.cgi?id=1821304	external
https://bugzilla.redhat.com/show_bug.cgi?id=1821311	external
https://bugzilla.redhat.com/show_bug.cgi?id=1821315	external
https://bugzilla.redhat.com/show_bug.cgi?id=1826798	external
https://bugzilla.redhat.com/show_bug.cgi?id=1826805	external
https://bugzilla.redhat.com/show_bug.cgi?id=1848960	external
https://bugzilla.redhat.com/show_bug.cgi?id=1848962	external
https://bugzilla.redhat.com/show_bug.cgi?id=1848966	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2019-9512	self
https://bugzilla.redhat.com/show_bug.cgi?id=1735645	external
https://www.cve.org/CVERecord?id=CVE-2019-9512	external
https://nvd.nist.gov/vuln/detail/CVE-2019-9512	external
https://github.com/Netflix/security-bulletins/blo…	external
https://groups.google.com/forum/#!topic/golang-an…	external
https://groups.google.com/forum/#!topic/kubernete…	external
https://nodejs.org/en/blog/vulnerability/aug-2019…	external
https://www.mail-archive.com/grpc-io@googlegroups…	external
https://access.redhat.com/security/cve/CVE-2019-9514	self
https://bugzilla.redhat.com/show_bug.cgi?id=1735744	external
https://www.cve.org/CVERecord?id=CVE-2019-9514	external
https://nvd.nist.gov/vuln/detail/CVE-2019-9514	external
https://access.redhat.com/security/cve/CVE-2019-9515	self
https://bugzilla.redhat.com/show_bug.cgi?id=1735745	external
https://www.cve.org/CVERecord?id=CVE-2019-9515	external
https://nvd.nist.gov/vuln/detail/CVE-2019-9515	external
https://access.redhat.com/security/cve/CVE-2019-9518	self
https://bugzilla.redhat.com/show_bug.cgi?id=1735749	external
https://www.cve.org/CVERecord?id=CVE-2019-9518	external
https://nvd.nist.gov/vuln/detail/CVE-2019-9518	external
https://access.redhat.com/security/cve/CVE-2019-10086	self
https://bugzilla.redhat.com/show_bug.cgi?id=1767483	external
https://www.cve.org/CVERecord?id=CVE-2019-10086	external
https://nvd.nist.gov/vuln/detail/CVE-2019-10086	external
https://commons.apache.org/proper/commons-beanuti…	external
https://access.redhat.com/security/cve/CVE-2019-12406	self
https://bugzilla.redhat.com/show_bug.cgi?id=1816170	external
https://www.cve.org/CVERecord?id=CVE-2019-12406	external
https://nvd.nist.gov/vuln/detail/CVE-2019-12406	external
https://access.redhat.com/security/cve/CVE-2019-12423	self
https://bugzilla.redhat.com/show_bug.cgi?id=1797006	external
https://www.cve.org/CVERecord?id=CVE-2019-12423	external
https://nvd.nist.gov/vuln/detail/CVE-2019-12423	external
https://access.redhat.com/security/cve/CVE-2019-13990	self
https://bugzilla.redhat.com/show_bug.cgi?id=1801149	external
https://www.cve.org/CVERecord?id=CVE-2019-13990	external
https://nvd.nist.gov/vuln/detail/CVE-2019-13990	external
https://access.redhat.com/security/cve/CVE-2019-16869	self
https://bugzilla.redhat.com/show_bug.cgi?id=1758619	external
https://www.cve.org/CVERecord?id=CVE-2019-16869	external
https://nvd.nist.gov/vuln/detail/CVE-2019-16869	external
https://access.redhat.com/security/cve/CVE-2019-17573	self
https://bugzilla.redhat.com/show_bug.cgi?id=1797011	external
https://www.cve.org/CVERecord?id=CVE-2019-17573	external
https://nvd.nist.gov/vuln/detail/CVE-2019-17573	external
https://access.redhat.com/security/cve/CVE-2019-20330	self
https://bugzilla.redhat.com/show_bug.cgi?id=1793154	external
https://www.cve.org/CVERecord?id=CVE-2019-20330	external
https://nvd.nist.gov/vuln/detail/CVE-2019-20330	external
https://access.redhat.com/security/cve/CVE-2019-20444	self
https://bugzilla.redhat.com/show_bug.cgi?id=1798524	external
https://www.cve.org/CVERecord?id=CVE-2019-20444	external
https://nvd.nist.gov/vuln/detail/CVE-2019-20444	external
https://github.com/elastic/elasticsearch/issues/49396	external
https://access.redhat.com/security/cve/CVE-2019-20445	self
https://bugzilla.redhat.com/show_bug.cgi?id=1798509	external
https://www.cve.org/CVERecord?id=CVE-2019-20445	external
https://nvd.nist.gov/vuln/detail/CVE-2019-20445	external
https://access.redhat.com/security/cve/CVE-2020-1718	self
https://bugzilla.redhat.com/show_bug.cgi?id=1796756	external
https://www.cve.org/CVERecord?id=CVE-2020-1718	external
https://nvd.nist.gov/vuln/detail/CVE-2020-1718	external
https://access.redhat.com/security/cve/CVE-2020-7238	self
https://bugzilla.redhat.com/show_bug.cgi?id=1796225	external
https://www.cve.org/CVERecord?id=CVE-2020-7238	external
https://nvd.nist.gov/vuln/detail/CVE-2020-7238	external
https://netty.io/news/2019/12/18/4-1-44-Final.html	external
https://access.redhat.com/security/cve/CVE-2020-8840	self
https://bugzilla.redhat.com/show_bug.cgi?id=1816330	external
https://www.cve.org/CVERecord?id=CVE-2020-8840	external
https://nvd.nist.gov/vuln/detail/CVE-2020-8840	external
https://access.redhat.com/security/cve/CVE-2020-9546	self
https://bugzilla.redhat.com/show_bug.cgi?id=1816332	external
https://www.cve.org/CVERecord?id=CVE-2020-9546	external
https://nvd.nist.gov/vuln/detail/CVE-2020-9546	external
https://access.redhat.com/security/cve/CVE-2020-9547	self
https://bugzilla.redhat.com/show_bug.cgi?id=1816337	external
https://www.cve.org/CVERecord?id=CVE-2020-9547	external
https://nvd.nist.gov/vuln/detail/CVE-2020-9547	external
https://access.redhat.com/security/cve/CVE-2020-9548	self
https://bugzilla.redhat.com/show_bug.cgi?id=1816340	external
https://www.cve.org/CVERecord?id=CVE-2020-9548	external
https://nvd.nist.gov/vuln/detail/CVE-2020-9548	external
https://access.redhat.com/security/cve/CVE-2020-10672	self
https://bugzilla.redhat.com/show_bug.cgi?id=1815495	external
https://www.cve.org/CVERecord?id=CVE-2020-10672	external
https://nvd.nist.gov/vuln/detail/CVE-2020-10672	external
https://access.redhat.com/security/cve/CVE-2020-10673	self
https://bugzilla.redhat.com/show_bug.cgi?id=1815470	external
https://www.cve.org/CVERecord?id=CVE-2020-10673	external
https://nvd.nist.gov/vuln/detail/CVE-2020-10673	external
https://access.redhat.com/security/cve/CVE-2020-10968	self
https://bugzilla.redhat.com/show_bug.cgi?id=1819208	external
https://www.cve.org/CVERecord?id=CVE-2020-10968	external
https://nvd.nist.gov/vuln/detail/CVE-2020-10968	external
https://access.redhat.com/security/cve/CVE-2020-10969	self
https://bugzilla.redhat.com/show_bug.cgi?id=1819212	external
https://www.cve.org/CVERecord?id=CVE-2020-10969	external
https://nvd.nist.gov/vuln/detail/CVE-2020-10969	external
https://access.redhat.com/security/cve/CVE-2020-11111	self
https://bugzilla.redhat.com/show_bug.cgi?id=1821304	external
https://www.cve.org/CVERecord?id=CVE-2020-11111	external
https://nvd.nist.gov/vuln/detail/CVE-2020-11111	external
https://github.com/FasterXML/jackson-databind/iss…	external
https://access.redhat.com/security/cve/CVE-2020-11112	self
https://bugzilla.redhat.com/show_bug.cgi?id=1821311	external
https://www.cve.org/CVERecord?id=CVE-2020-11112	external
https://nvd.nist.gov/vuln/detail/CVE-2020-11112	external
https://github.com/FasterXML/jackson-databind/iss…	external
https://access.redhat.com/security/cve/CVE-2020-11113	self
https://bugzilla.redhat.com/show_bug.cgi?id=1821315	external
https://www.cve.org/CVERecord?id=CVE-2020-11113	external
https://nvd.nist.gov/vuln/detail/CVE-2020-11113	external
https://github.com/FasterXML/jackson-databind/iss…	external
https://access.redhat.com/security/cve/CVE-2020-11612	self
https://bugzilla.redhat.com/show_bug.cgi?id=1816216	external
https://www.cve.org/CVERecord?id=CVE-2020-11612	external
https://nvd.nist.gov/vuln/detail/CVE-2020-11612	external
https://access.redhat.com/security/cve/CVE-2020-11619	self
https://bugzilla.redhat.com/show_bug.cgi?id=1826805	external
https://www.cve.org/CVERecord?id=CVE-2020-11619	external
https://nvd.nist.gov/vuln/detail/CVE-2020-11619	external
https://access.redhat.com/security/cve/CVE-2020-11620	self
https://bugzilla.redhat.com/show_bug.cgi?id=1826798	external
https://www.cve.org/CVERecord?id=CVE-2020-11620	external
https://nvd.nist.gov/vuln/detail/CVE-2020-11620	external
https://access.redhat.com/security/cve/CVE-2020-14060	self
https://bugzilla.redhat.com/show_bug.cgi?id=1848960	external
https://www.cve.org/CVERecord?id=CVE-2020-14060	external
https://nvd.nist.gov/vuln/detail/CVE-2020-14060	external
https://access.redhat.com/security/cve/CVE-2020-14061	self
https://bugzilla.redhat.com/show_bug.cgi?id=1848966	external
https://www.cve.org/CVERecord?id=CVE-2020-14061	external
https://nvd.nist.gov/vuln/detail/CVE-2020-14061	external
https://access.redhat.com/security/cve/CVE-2020-14062	self
https://bugzilla.redhat.com/show_bug.cgi?id=1848962	external
https://www.cve.org/CVERecord?id=CVE-2020-14062	external
https://nvd.nist.gov/vuln/detail/CVE-2020-14062	external

Acknowledgments

the Envoy security team

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat Process Automation Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis release of Red Hat Process Automation Manager 7.8.0 serves as an update to Red Hat Process Automation Manager 7.7.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)\n\n* netty: HTTP request smuggling (CVE-2019-20444)\n\n* netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)\n\n* netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)\n\n* netty: HTTP/2: flood using empty frames results in excessive resource consumption (CVE-2019-9518)\n\n* netty: HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514)\n\n* netty: HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)\n\n* netty: HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515)\n\n* netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445)\n\n* cxf-core: cxf: does not restrict the number of message attachments (CVE-2019-12406)\n\n* cxf-core: cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)\n\n* cxf-core: cxf: reflected XSS in the services listing page (CVE-2019-17573)\n\n* jackson-databind: lacks certain net.sf.ehcache blocking (CVE-2019-20330)\n\n* jackson-databind: Lacks certain xbean-reflect/JNDI blocking (CVE-2020-8840)\n\n* jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672)\n\n* jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10673)\n\n* jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548)\n\n* jackson-databind: Serialization gadgets in commons-jelly:commons-jelly (CVE-2020-11620)\n\n* jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)\n\n* jackson-databind: Serialization gadgets in javax.swing.JEditorPane (CVE-2020-10969)\n\n* jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider (CVE-2020-10968)\n\n* jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory (CVE-2020-11111)\n\n* jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider (CVE-2020-11112)\n\n* jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime (CVE-2020-11113)\n\n* jackson-databind: Serialization gadgets in org.springframework:spring-aop (CVE-2020-11619)\n\n* jackson-databind: Serialization gadgets in shaded-hikari-config (CVE-2020-9546)\n\n* jackson-databind: serialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (CVE-2020-14062)\n\n* jackson-databind: serialization in weblogic/oracle-aqjms (CVE-2020-14061)\n\n* jackson-databind: serialization in oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (CVE-2020-14060)\n\n* netty: compression/decompression codecs don\u0027t enforce limits on buffer allocation sizes (CVE-2020-11612)\n\n* quartz: libquartz: XXE attacks via job description (CVE-2019-13990)\n\n* keycloak: security issue on reset credential flow (CVE-2020-1718)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2020:3197",
        "url": "https://access.redhat.com/errata/RHSA-2020:3197"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=rhpam\u0026version=7.8.0",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=rhpam\u0026version=7.8.0"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_process_automation_manager/7.8/html/release_notes_for_red_hat_process_automation_manager_7.8/index",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_process_automation_manager/7.8/html/release_notes_for_red_hat_process_automation_manager_7.8/index"
      },
      {
        "category": "external",
        "summary": "1735645",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735645"
      },
      {
        "category": "external",
        "summary": "1735744",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735744"
      },
      {
        "category": "external",
        "summary": "1735745",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735745"
      },
      {
        "category": "external",
        "summary": "1735749",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735749"
      },
      {
        "category": "external",
        "summary": "1758619",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758619"
      },
      {
        "category": "external",
        "summary": "1767483",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1767483"
      },
      {
        "category": "external",
        "summary": "1793154",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793154"
      },
      {
        "category": "external",
        "summary": "1796225",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796225"
      },
      {
        "category": "external",
        "summary": "1796756",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796756"
      },
      {
        "category": "external",
        "summary": "1797006",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1797006"
      },
      {
        "category": "external",
        "summary": "1797011",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1797011"
      },
      {
        "category": "external",
        "summary": "1798509",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798509"
      },
      {
        "category": "external",
        "summary": "1798524",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798524"
      },
      {
        "category": "external",
        "summary": "1801149",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1801149"
      },
      {
        "category": "external",
        "summary": "1815470",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815470"
      },
      {
        "category": "external",
        "summary": "1815495",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815495"
      },
      {
        "category": "external",
        "summary": "1816170",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816170"
      },
      {
        "category": "external",
        "summary": "1816216",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816216"
      },
      {
        "category": "external",
        "summary": "1816330",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816330"
      },
      {
        "category": "external",
        "summary": "1816332",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816332"
      },
      {
        "category": "external",
        "summary": "1816337",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816337"
      },
      {
        "category": "external",
        "summary": "1816340",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816340"
      },
      {
        "category": "external",
        "summary": "1819208",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1819208"
      },
      {
        "category": "external",
        "summary": "1819212",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1819212"
      },
      {
        "category": "external",
        "summary": "1821304",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1821304"
      },
      {
        "category": "external",
        "summary": "1821311",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1821311"
      },
      {
        "category": "external",
        "summary": "1821315",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1821315"
      },
      {
        "category": "external",
        "summary": "1826798",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1826798"
      },
      {
        "category": "external",
        "summary": "1826805",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1826805"
      },
      {
        "category": "external",
        "summary": "1848960",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848960"
      },
      {
        "category": "external",
        "summary": "1848962",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848962"
      },
      {
        "category": "external",
        "summary": "1848966",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848966"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_3197.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Process Automation Manager 7.8.0 Security Update",
    "tracking": {
      "current_release_date": "2026-05-14T22:25:17+00:00",
      "generator": {
        "date": "2026-05-14T22:25:17+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.0"
        }
      },
      "id": "RHSA-2020:3197",
      "initial_release_date": "2020-07-29T06:21:49+00:00",
      "revision_history": [
        {
          "date": "2020-07-29T06:21:49+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2020-07-29T06:21:49+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-14T22:25:17+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Process Automation 7",
                "product": {
                  "name": "Red Hat Process Automation 7",
                  "product_id": "Red Hat Process Automation 7",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Process Automation Manager"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "the Envoy security team"
          ]
        }
      ],
      "cve": "CVE-2019-9512",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2019-08-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1735645"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in HTTP/2. Using PING frames and queuing of response PING ACK frames, a flood attack could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "HTTP/2: flood using PING frames results in unbounded memory growth",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.\nThis issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.\nThe following storage product versions are affected because they include the support for HTTP/2 in:\n* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3\n* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3\n* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3\nThis flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.\n\nAll OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-9512"
        },
        {
          "category": "external",
          "summary": "RHBZ#1735645",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735645"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9512",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-9512"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9512",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9512"
        },
        {
          "category": "external",
          "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
          "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg",
          "url": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA",
          "url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA"
        },
        {
          "category": "external",
          "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/",
          "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/"
        },
        {
          "category": "external",
          "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html",
          "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html"
        }
      ],
      "release_date": "2019-08-13T17:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "HTTP/2: flood using PING frames results in unbounded memory growth"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "the Envoy security team"
          ]
        }
      ],
      "cve": "CVE-2019-9514",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2019-08-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1735744"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in HTTP/2. Using HEADER frames with invalid HTTP headers and queuing of response RST_STREAM frames, an attacker could cause a flood resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "HTTP/2: flood using HEADERS frames results in unbounded memory growth",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.\nThis issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.\nThe following storage product versions are affected because they include the support for HTTP/2 in:\n* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3\n* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3\n* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3\nThis flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.\n\nAll OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-9514"
        },
        {
          "category": "external",
          "summary": "RHBZ#1735744",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735744"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9514",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-9514"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9514",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9514"
        },
        {
          "category": "external",
          "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
          "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg",
          "url": "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA",
          "url": "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA"
        },
        {
          "category": "external",
          "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/",
          "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/"
        },
        {
          "category": "external",
          "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html",
          "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html"
        }
      ],
      "release_date": "2019-08-13T17:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "HTTP/2: flood using HEADERS frames results in unbounded memory growth"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "the Envoy security team"
          ]
        }
      ],
      "cve": "CVE-2019-9515",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2019-08-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1735745"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in HTTP/2. Using SETTINGS frames and queuing of SETTINGS ACK frames, a flood could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "HTTP/2: flood using SETTINGS frames results in unbounded memory growth",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affects the version of grafana(embeds gRPC) as shipped with Red Hat Ceph Storage 3 as it include the support for HTTP/2.\nThis flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-9515"
        },
        {
          "category": "external",
          "summary": "RHBZ#1735745",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735745"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9515",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-9515"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9515",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9515"
        },
        {
          "category": "external",
          "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
          "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
        },
        {
          "category": "external",
          "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/",
          "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/"
        },
        {
          "category": "external",
          "summary": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html",
          "url": "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html"
        }
      ],
      "release_date": "2019-08-13T17:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "HTTP/2: flood using SETTINGS frames results in unbounded memory growth"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "the Envoy security team"
          ]
        }
      ],
      "cve": "CVE-2019-9518",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2019-08-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1735749"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in HTTP/2. Using frames with an empty payload, a flood could occur that results in excessive CPU usage and starvation of other clients. The highest threat from this vulnerability is to system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "HTTP/2: flood using empty frames results in excessive resource consumption",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-9518"
        },
        {
          "category": "external",
          "summary": "RHBZ#1735749",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735749"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-9518",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-9518"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-9518",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9518"
        },
        {
          "category": "external",
          "summary": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
          "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"
        },
        {
          "category": "external",
          "summary": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/",
          "url": "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/"
        }
      ],
      "release_date": "2019-08-13T17:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "HTTP/2: flood using empty frames results in excessive resource consumption"
    },
    {
      "cve": "CVE-2019-10086",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2019-10-31T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1767483"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Apache Commons BeanUtils, where the class property in PropertyUtilsBean is not suppressed by default. This flaw allows an attacker to access the classloader.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-10086"
        },
        {
          "category": "external",
          "summary": "RHBZ#1767483",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1767483"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-10086",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-10086"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086"
        },
        {
          "category": "external",
          "summary": "https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt",
          "url": "https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt"
        }
      ],
      "release_date": "2019-08-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        },
        {
          "category": "workaround",
          "details": "There is no currently known mitigation for this flaw.",
          "product_ids": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default"
    },
    {
      "cve": "CVE-2019-12406",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2020-03-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1816170"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property \"attachment-max-count\".",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "cxf: does not restrict the number of message attachments",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-12406"
        },
        {
          "category": "external",
          "summary": "RHBZ#1816170",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816170"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-12406",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-12406"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-12406",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12406"
        }
      ],
      "release_date": "2019-11-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "cxf: does not restrict the number of message attachments"
    },
    {
      "cve": "CVE-2019-12423",
      "cwe": {
        "id": "CWE-522",
        "name": "Insufficiently Protected Credentials"
      },
      "discovery_date": "2020-01-31T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1797006"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter \"rs.security.keystore.type\" to \"jwk\". For this case all keys are returned in this file \"as is\", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. \"oct\" keys, which contain secret keys, are not returned at all.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "cxf: OpenId Connect token service does not properly validate the clientId",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-12423"
        },
        {
          "category": "external",
          "summary": "RHBZ#1797006",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1797006"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-12423",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-12423"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-12423",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12423"
        }
      ],
      "release_date": "2020-01-16T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "cxf: OpenId Connect token service does not properly validate the clientId"
    },
    {
      "cve": "CVE-2019-13990",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2019-07-27T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1801149"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The Terracotta Quartz Scheduler is susceptible to an XML external entity attack (XXE) through a job description. This issue stems from inadequate handling of XML external entity (XXE) declarations in the initDocumentParser function within xml/XMLSchedulingDataProcessor.java. By enticing a victim to access a maliciously crafted job description (containing XML content), a remote attacker could exploit this vulnerability to execute an XXE attack on the targeted system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "libquartz: XXE attacks via job description",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Satellite 6 uses a vulnerable version of libquartz as a dependency for Candlepin. However, the \u003cjob\u003e\u003cdescrition\u003e entry is not used, and the vulnerability can not be triggered. An update may fix the code in the future.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-13990"
        },
        {
          "category": "external",
          "summary": "RHBZ#1801149",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1801149"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-13990",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-13990"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-13990",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13990"
        }
      ],
      "release_date": "2019-07-26T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "libquartz: XXE attacks via job description"
    },
    {
      "cve": "CVE-2019-16869",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2019-09-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1758619"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty, where whitespace before the colon in HTTP headers is mishandled. This flaw allows an attacker to cause HTTP request smuggling.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that this vulnerability does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit these vulnerabilities on OpenShift Container Platform, so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships vulnerable netty version embedded in Candlepin, however, is not directly vulnerable since HTTP requests are handled by Tomcat and not netty.\n\n[1]  https://github.com/elastic/elasticsearch/issues/49396",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-16869"
        },
        {
          "category": "external",
          "summary": "RHBZ#1758619",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758619"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-16869",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-16869"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-16869",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16869"
        }
      ],
      "release_date": "2019-09-26T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        },
        {
          "category": "workaround",
          "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings",
          "product_ids": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers"
    },
    {
      "cve": "CVE-2019-17573",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2020-01-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1797011"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "cxf: reflected XSS in the services listing page",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-17573"
        },
        {
          "category": "external",
          "summary": "RHBZ#1797011",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1797011"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-17573",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-17573"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-17573",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17573"
        }
      ],
      "release_date": "2020-01-16T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        },
        {
          "category": "workaround",
          "details": "Mitigate this flaw by disabling the service listing altogether; via setting the \"hide-service-list-page\" servlet parameter to \"true\".",
          "product_ids": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "cxf: reflected XSS in the services listing page"
    },
    {
      "cve": "CVE-2019-20330",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-01-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1793154"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: lacks certain net.sf.ehcache blocking",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-20330"
        },
        {
          "category": "external",
          "summary": "RHBZ#1793154",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793154"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20330",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-20330"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20330",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20330"
        }
      ],
      "release_date": "2020-01-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
          "product_ids": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: lacks certain net.sf.ehcache blocking"
    },
    {
      "cve": "CVE-2019-20444",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2020-01-30T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1798524"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A HTTP smuggling flaw was found in HttpObjectDecoder.java in Netty in versions prior to version 4.1.44. HTTP headers with an invalid fold, in this case CRLF (carriage return, line feed) without being followed by SP (space) or HTAB (horizontal tab), result in situations where headers can be misread. Data integrity is the highest threat with this vulnerability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: HTTP request smuggling",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not pose a substantial practical threat to ElasticSearch 6. We agree that these issues would be difficult to exploit on OpenShift Container Platform so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships a vulnerable version of netty embedded in Candlepin. However, the flaw can not be triggered in that context, because HTTP requests are handled by Tomcat, not by netty. A future release may fix this.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-20444"
        },
        {
          "category": "external",
          "summary": "RHBZ#1798524",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798524"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20444",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-20444"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444"
        },
        {
          "category": "external",
          "summary": "https://github.com/elastic/elasticsearch/issues/49396",
          "url": "https://github.com/elastic/elasticsearch/issues/49396"
        }
      ],
      "release_date": "2020-01-29T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        },
        {
          "category": "workaround",
          "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings",
          "product_ids": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: HTTP request smuggling"
    },
    {
      "cve": "CVE-2019-20445",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2020-01-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1798509"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a server, it could result in a viable HTTP smuggling vulnerability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit both these vulnerabilities on OpenShift Container Platform, so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships a vulnerable version of netty embedded in Candlepin. However, the flaw can not be triggered in that context, because HTTP requests are handled by Tomcat, not by netty. A future release may fix this.\n\n[1]  https://github.com/elastic/elasticsearch/issues/49396",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-20445"
        },
        {
          "category": "external",
          "summary": "RHBZ#1798509",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798509"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20445",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-20445"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445"
        }
      ],
      "release_date": "2020-01-29T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        },
        {
          "category": "workaround",
          "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings",
          "product_ids": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header"
    },
    {
      "cve": "CVE-2020-1718",
      "cwe": {
        "id": "CWE-287",
        "name": "Improper Authentication"
      },
      "discovery_date": "2020-01-31T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1796756"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the reset credential flow in Keycloak. This flaw allows an attacker to gain unauthorized access to the application.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "keycloak: security issue on reset credential flow",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-1718"
        },
        {
          "category": "external",
          "summary": "RHBZ#1796756",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796756"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1718",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-1718"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1718",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1718"
        }
      ],
      "release_date": "2020-05-12T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        },
        {
          "category": "workaround",
          "details": "Disable reset credential flow.",
          "product_ids": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "keycloak: security issue on reset credential flow"
    },
    {
      "cve": "CVE-2020-7238",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2020-01-27T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1796225"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. This flaw allows HTTP Request Smuggling.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit both these vulnerabilities on OpenShift Container Platform, so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships vulnerable netty version embedded in Candlepin, however, is not directly vulnerable since HTTP requests are handled by Tomcat and not netty.\n\n[1]  https://github.com/elastic/elasticsearch/issues/49396",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-7238"
        },
        {
          "category": "external",
          "summary": "RHBZ#1796225",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796225"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-7238",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-7238"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7238",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7238"
        },
        {
          "category": "external",
          "summary": "https://netty.io/news/2019/12/18/4-1-44-Final.html",
          "url": "https://netty.io/news/2019/12/18/4-1-44-Final.html"
        }
      ],
      "release_date": "2020-01-26T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        },
        {
          "category": "workaround",
          "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings",
          "product_ids": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling"
    },
    {
      "cve": "CVE-2020-8840",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-03-02T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1816330"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in FasterXML jackson-databind in versions 2.0.0 through 2.9.10.2. A \"gadget\" exploit is possible due to a lack of a Java object being blocking from being deserialized. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Lacks certain xbean-reflect/JNDI blocking",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-8840"
        },
        {
          "category": "external",
          "summary": "RHBZ#1816330",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816330"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-8840",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-8840"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8840",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8840"
        }
      ],
      "release_date": "2020-03-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Lacks certain xbean-reflect/JNDI blocking"
    },
    {
      "cve": "CVE-2020-9546",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-03-02T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1816332"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in shaded-hikari-config",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-9546"
        },
        {
          "category": "external",
          "summary": "RHBZ#1816332",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816332"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9546",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-9546"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9546",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9546"
        }
      ],
      "release_date": "2020-03-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in shaded-hikari-config"
    },
    {
      "cve": "CVE-2020-9547",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-03-02T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1816337"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in ibatis-sqlmap",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-9547"
        },
        {
          "category": "external",
          "summary": "RHBZ#1816337",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816337"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9547",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-9547"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9547",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9547"
        }
      ],
      "release_date": "2020-03-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in ibatis-sqlmap"
    },
    {
      "cve": "CVE-2020-9548",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-03-02T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1816340"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in anteros-core",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-9548"
        },
        {
          "category": "external",
          "summary": "RHBZ#1816340",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816340"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9548",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-9548"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9548",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9548"
        }
      ],
      "release_date": "2020-03-02T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in anteros-core"
    },
    {
      "cve": "CVE-2020-10672",
      "cwe": {
        "id": "CWE-96",
        "name": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)"
      },
      "discovery_date": "2020-03-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1815495"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-10672"
        },
        {
          "category": "external",
          "summary": "RHBZ#1815495",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815495"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10672",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-10672"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10672",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10672"
        }
      ],
      "release_date": "2020-03-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution"
    },
    {
      "cve": "CVE-2020-10673",
      "cwe": {
        "id": "CWE-96",
        "name": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)"
      },
      "discovery_date": "2020-03-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1815470"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time. Additionally, the gadget is not available within Red Hat Openstack Platform\u0027s OpenDaylight.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-10673"
        },
        {
          "category": "external",
          "summary": "RHBZ#1815470",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815470"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10673",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-10673"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10673",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10673"
        }
      ],
      "release_date": "2020-03-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution"
    },
    {
      "cve": "CVE-2020-10968",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-03-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1819208"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x prior to version 2.9.10.4.  The interaction between serialization gadgets and typing is mishandled in the bus-proxy. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-10968"
        },
        {
          "category": "external",
          "summary": "RHBZ#1819208",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1819208"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10968",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-10968"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10968",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10968"
        }
      ],
      "release_date": "2020-03-22T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
          "product_ids": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider"
    },
    {
      "cve": "CVE-2020-10969",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-03-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1819212"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in javax.swing.JEditorPane",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-10969"
        },
        {
          "category": "external",
          "summary": "RHBZ#1819212",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1819212"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-10969",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-10969"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10969",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10969"
        }
      ],
      "release_date": "2020-03-03T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
          "product_ids": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in javax.swing.JEditorPane"
    },
    {
      "cve": "CVE-2020-11111",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-03-31T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1821304"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-11111"
        },
        {
          "category": "external",
          "summary": "RHBZ#1821304",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1821304"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11111",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-11111"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11111",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11111"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-databind/issues/2664",
          "url": "https://github.com/FasterXML/jackson-databind/issues/2664"
        }
      ],
      "release_date": "2020-03-24T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
          "product_ids": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory"
    },
    {
      "cve": "CVE-2020-11112",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-03-31T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1821311"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-11112"
        },
        {
          "category": "external",
          "summary": "RHBZ#1821311",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1821311"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11112",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-11112"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11112",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11112"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-databind/issues/2666",
          "url": "https://github.com/FasterXML/jackson-databind/issues/2666"
        }
      ],
      "release_date": "2020-03-25T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
          "product_ids": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider"
    },
    {
      "cve": "CVE-2020-11113",
      "cwe": {
        "id": "CWE-96",
        "name": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)"
      },
      "discovery_date": "2020-03-31T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1821315"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-11113"
        },
        {
          "category": "external",
          "summary": "RHBZ#1821315",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1821315"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11113",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-11113"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11113",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11113"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-databind/issues/2670",
          "url": "https://github.com/FasterXML/jackson-databind/issues/2670"
        }
      ],
      "release_date": "2020-03-28T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
          "product_ids": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime"
    },
    {
      "cve": "CVE-2020-11612",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2020-03-23T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1816216"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty in the way it handles the amount of data it compresses and decompresses. The Compression/Decompression codecs should enforce memory allocation size limits to avoid an Out of Memory Error (OOME) or exhaustion of the memory pool.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: compression/decompression codecs don\u0027t enforce limits on buffer allocation sizes",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "In OpenShift Container Platform end users don\u0027t have direct access to send requests to ElasticSearch. A user could need access to the ElasticSearch service on the internal cluster network in order to be able to send malicious requests to it.\n\n\nThird party scanners flagging Red Hat Satellite due to availability of the higher version packages in Red Hat AMQ Clients (through errata RHSA-2020:2605) compare to the qpid packages from Satellite Tools repository. qpid dependency fixed in errata RHSA-2020:2605 was for Red Hat AMQ Clients and it doesn\u0027t necessarily mean that packages from Satellite Tools are affected. These are two different products with different architecture and code-base. Updating the packages from any other repository than the Satellite-tools repository is not recommended for Satellite Customers. \n\nRed Hat Satellite 6.7 and earlier ship affected version of netty, however, there is no external connection being exposed and it is used by only Artemis to open an internal connection within the JVM. Since netty does not come into contact with untrusted data, vulnerability is not exposed in product code and there is no breach of Confidentiality, Integrity or Availability expected from this vulnerability. We may update the netty and its dependency in a future release.\n\nMore information regarding Satellite related packages can be found on KCS: https://access.redhat.com/solutions/5200591",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-11612"
        },
        {
          "category": "external",
          "summary": "RHBZ#1816216",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816216"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11612",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-11612"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11612",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11612"
        }
      ],
      "release_date": "2020-01-31T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "netty: compression/decompression codecs don\u0027t enforce limits on buffer allocation sizes"
    },
    {
      "cve": "CVE-2020-11619",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-04-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1826805"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in org.springframework:spring-aop",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-11619"
        },
        {
          "category": "external",
          "summary": "RHBZ#1826805",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1826805"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11619",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-11619"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11619",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11619"
        }
      ],
      "release_date": "2020-04-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
          "product_ids": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in org.springframework:spring-aop"
    },
    {
      "cve": "CVE-2020-11620",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-04-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1826798"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: Serialization gadgets in commons-jelly:commons-jelly",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-11620"
        },
        {
          "category": "external",
          "summary": "RHBZ#1826798",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1826798"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11620",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-11620"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11620",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11620"
        }
      ],
      "release_date": "2020-04-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`",
          "product_ids": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: Serialization gadgets in commons-jelly:commons-jelly"
    },
    {
      "cve": "CVE-2020-14060",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-06-15T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1848960"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.5. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: serialization in oadd.org.apache.xalan.lib.sql.JNDIConnectionPool",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 and Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.\n\nThe version of jackson-databind as shipped in Red Hat Software Collections rh-maven35 is used only while building maven, thus it does not deserialize data coming from untrusted sources, lowering the impact of the vulnerability for the Product.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-14060"
        },
        {
          "category": "external",
          "summary": "RHBZ#1848960",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848960"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14060",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-14060"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14060",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14060"
        }
      ],
      "release_date": "2020-05-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* enableDefaultTyping()\n* @JsonTypeInfo using id.CLASS or id.MINIMAL_CLASS\n* oadd.org.apache.xalan.lib.sql.JNDIConnectionPool in classpath",
          "product_ids": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: serialization in oadd.org.apache.xalan.lib.sql.JNDIConnectionPool"
    },
    {
      "cve": "CVE-2020-14061",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-06-15T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1848966"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.5. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: serialization in weblogic/oracle-aqjms",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 and Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.\n\nThe version of jackson-databind as shipped in Red Hat Software Collections rh-maven35 is used only while building maven, thus it does not deserialize data coming from untrusted sources, lowering the impact of the vulnerability for the Product.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-14061"
        },
        {
          "category": "external",
          "summary": "RHBZ#1848966",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848966"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14061",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-14061"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14061",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14061"
        }
      ],
      "release_date": "2020-05-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* enableDefaultTyping()\n* @JsonTypeInfo using id.CLASS or id.MINIMAL_CLASS\n* oracle.jms.AQjms*ConnectionFactory in classpath",
          "product_ids": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: serialization in weblogic/oracle-aqjms"
    },
    {
      "cve": "CVE-2020-14062",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2020-06-15T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1848962"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.5. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: serialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nThe PKI module as shipped in Red Hat Enterprise Linux 8 and Red Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used, lowering the impact of the vulnerability for the Product. We may update the jackson-databind dependency in a future release.\n\nThe version of jackson-databind as shipped in Red Hat Software Collections rh-maven35 is used only while building maven, thus it does not deserialize data coming from untrusted sources, lowering the impact of the vulnerability for the Product.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Process Automation 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-14062"
        },
        {
          "category": "external",
          "summary": "RHBZ#1848962",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848962"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-14062",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-14062"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14062",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14062"
        }
      ],
      "release_date": "2020-05-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-29T06:21:49+00:00",
          "details": "For on-premise installations, before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
          "product_ids": [
            "Red Hat Process Automation 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:3197"
        },
        {
          "category": "workaround",
          "details": "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* enableDefaultTyping()\n* @JsonTypeInfo using id.CLASS or id.MINIMAL_CLASS\n* com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool in classpath",
          "product_ids": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Process Automation 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: serialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-13990 (GCVE-0-2019-13990)

Solution

Solution

Solutions

Tags

Sightings

Nomenclature